(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

http://www.cbc.ca/news/canada/british-columbia/story/2011/07/18/bc-nexus-pass-smuggling-border.html?ref=rss

“I’m shocked; shocked to discover gambling in this establishment!”

If you mark people as trusted, some of them will take advantage. It’s human nature. And the answer isn’t more enforcement. If your protective trade tariffs and domestic prices are much too high, people will shop elsewhere. And you can catch people buying engagement rings, but I’m not sure you’ll catch real smugglers, human traffickers, and drug runners.

I recently made and posted a Youtube video of my 2 year old son getting a pat down at airport security.

I figured I should provide a few words of context here to clarify my intent and the circumstances surrounding the video — and what security lessons we should draw from this incident and others like it.

Security researchers know, as commonly accepted wisdom, that no security system, digital or otherwise, is 100% foolproof or secure. Bad things will happen. Malicious activity is impossible to prevent.

Meaningful security is therefore about managing risk. We, particularly as citizens of a free and open government, should actively question the cost of security mechanisms imposed for the purposes of managing that risk and keeping us safe. If the risk is low and the cost is high, we should find a better, alternative security mechanism (or change our policy to make better use of the existing mechanism, or change the policy to even consider other mechanisms, or none).

In any event, the video I recorded is meant to help us ask this question: is patting down toddlers a useful security mechanism? If not, what policy changes should we consider to improve the value we are getting for the investment in airport security measures?

The video shows 44 seconds of what was about a 30 minute episode, so a lot of context is missing, including the ho-hum standard screening that led up to the pat-down and the discussion with various CATSA employees and law enforcement that followed asking me to delete the footage (and finally deciding that it was OK for me to have recorded it and retained it). We submitted to routine screening and were cooperative the entire time (modulo my refusing to hand over my already-scanned laptop with the raw footage while the matter of whether I was allowed to record that footage was still pending).

One of the chemical sensors detected something (no idea what substance or in what concentration) on our baby food jars. This alert triggered an automatic escalation to re-screening and a choice of a patdown or the X-ray machines (it is impossible to tell what X-ray technology they are using, how it is calibrated, whether rigorous independent testing is performed, etc., so we chose the pat-down, knowing that we would be denied boarding if we didn’t comply). At this point, a CATSA employee (for those in the US, the Canadian equivalent of the TSA) gave my two year old son a quick pat-down. Knowing the pat-down was coming, I opened my laptop and started recording.

I emphasize that the agent was quick and courteous, and did not hurt my son (he later gave me a pat down and was also quick and friendly). I have no problem with the CATSA employees — they are just being asked to complete their jobs and carry out the security mechanisms that policy puts in place.

However, I still think something is deeply amiss if we consider patting down a toddler (who was in toddler PJs, which any parent can tell you is fairly impossible to hide something in) a valid, high-efficacy security mechanism. So I did the only thing I could to retain some measure of control, and that was to record the incident.

Why did I do this?

Because sometimes we get so used to something (and as a FF, I’ve been through about 60 screenings a year for the past 5 years) that we just come to accept it as good and proper. We shuffle through a line at 6:30 in the morning, half-awake, and comply with requests that are, in retrospect, totally absurd. That ground starts to get slippery and slope pretty quickly. Humans are designed to obey authority (see Milgram and Stanford experiments/incidents).

Is our current approach to physical safety in commercial airline travel useful? Does it work? Is it consistent with our values? Are there safer, more effective mechanisms that preserve our dignity? Is there an open process of public calibration and testing for these mechanisms?

A lot of people are uncomfortable with the line we seem to be crossing to defend against a constantly moving, amorphous, low-risk threat. But only a few people seem to actually want to say something. As the signs on MTA transit says: “If you see something, say something.”…the phrase could easily be applied to citizen oversight of security measures, not just “weird stuff” that citizens should report to local law enforcement. You have a right to speak up if you don’t like something.

I was asked to delete the video and was told that it was illegal for me to record checkpoints. Here is a list of evidence to the contrary (kudos to P. Mocek for blazing a trail here):

CATSA FAQ: http://www.catsa.gc.ca/Page.aspx?ID=26&pname=TravellerFAQs_FAQVoyageurs&lang=en&sid=7&sname=Pre-Board-Screening-Experience_Processus-de-controle-preembarquement

http://blog.tsa.gov/2009/03/can-i-take-photos-at-checkpoint-and.html

http://www.papersplease.org/wp/mocek/

http://articles.cnn.com/2010-11-25/tech/shooting.video.tsa_1_tsa-s-office-tsa-checkpoints-shooting-video?_s=PM:TECH

http://www.krages.com/phoright.htm

http://www.freerepublic.com/focus/f-bloggers/2632673/posts

http://www.flyertalk.com/forum/travel-safety-security/938543-pv-alert-can-i-take-photos-checkpoint-airport-13.html

http://www.boingboing.net/2011/01/24/flier-beats-tsa-vide.html

The TSA also says: “We recognize that using video and photography equipment is a constitutionally protected activity unless it interferes with the screening process at our checkpoints.” (see here)

Update 5 April 2011: This is a big story. A big IT services FAIL: http://www.cbc.ca/news/business/story/2011/04/05/business-data-breach.html?ref=rss

I’m getting ready for the wave of spam. BestBuy’s direct email service (i.e., legitimate spam) was hacked and the attackers got real, live email addresses:

http://www.thestreet.com/story/11070689/1/retailers-victims-of-e-mail-hackers.html?CM_VEN=AD|TWR|JC

On the one hand, this is no big deal. On the other, it’s kind of annoying — not the incident, but the typical response from a BestBuy corporate VP of — Marketing. Yes, the customer notification doesn’t come from tech staff, but rather from the spin machine. (see email in entirety below)

I love the vagueness in these notification emails assuring users that nothing else of value was disclosed and that the “appropriate authorities” were notified.

Just once, I’ve love an honest message: “We have no idea what they actually got, and neither do the 3rd-party consulting firm or the FBI. I’m sorry we left the default password as ‘password’ on our firewall. We’ll give you $10 of BestBuy credit toward your next purchase.”

What I find lovely is that our (by which I mean the information security community) best advice boils down to six relatively useless recommendations:

http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx

—

Dear Valued Best Buy Customer,

On March 31, we were informed by Epsilon, a company we use to send emails to our customers, that files containing the email addresses of some Best Buy customers were accessed without authorization.

We have been assured by Epsilon that the only information that may have been obtained was your email address and that the accessed files did not include any other information. A rigorous assessment by Epsilon determined that no other information is at risk. We are actively investigating to confirm this.

For your security, however, we wanted to call this matter to your attention. We ask that you remain alert to any unusual or suspicious emails. As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders.

In keeping with best industry security practices, Best Buy will never ask you to provide or confirm any information, including credit card numbers, unless you are on our secure e-commerce site, www.bestbuy.com. If you receive an email asking for personal information, delete it. It did not come from Best Buy.

Our service provider has reported this incident to the appropriate authorities.

We regret this has taken place and for any inconvenience this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information. For more information on keeping your data safe, please visit:

http://www.geeksquad.com/do-it-yourself/tech-tip/six-steps-to-keeping-your-data-safe.aspx.

Sincerely,

Barry Judge
Executive Vice President & Chief Marketing Officer
Best Buy

Update 4 April 2011: It looks like Marriott used the same service. This is a cloud failure mode. Think about it. All I need to do is attack a single vendor, and I get multiple information streams.

April 4, 2011

Dear Marriott Customer,

We were recently notified by Epsilon, a marketing vendor used by Marriott International, Inc. to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

In all likelihood, this will not impact you. However, we recommend that you continue to be on the alert for spam emails requesting personal or sensitive information. Please understand and be assured that Marriott does not send emails requesting customers to verify personal information.

We take your privacy very seriously. Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. We regret this has taken place and apologize for any inconvenience.

Please visit our FAQ to learn more.

Sincerely,

Marriott International, Inc.

and the FAQ has this content:

April 4, 2011

What happened?
Marriott International Inc. was recently notified by Epsilon, a marketing vendor used by Marriott to manage customer emails, that an unauthorized third party gained access to a number of Epsilon’s accounts including Marriott’s email list.

What Marriott information was accessed?
The unauthorized person(s) had access to names and email addresses only. They did not have access to sensitive customer information, such as physical addresses, loyalty program point balances, account logins and passwords, credit card information or other personal data.

How does this affect Marriott customers?
There is a possibility that customers whose email addresses were obtained may receive unsolicited emails (i.e., spam or phishing). Marriott has a long-standing commitment to protecting the privacy of the personal information that our guests entrust to us. As a result, Marriott never sells or rents member lists.

What is Epsilon doing about this?
Epsilon has notified Marriott that they have identified where the breach took place and has taken the necessary steps to prevent additional data loss. Epsilon has further informed us that they have notified law enforcement and that additional security precautions have been put in place to help prevent future incidents.

Sad story about influence on wikileaks’s ability to distribute content (see link below).

Wikileaks runs into two problems:

1. government pressure against companies providing hosting or directory
   services to wikileaks material
2. “market” pressure arising from DDoS attack against shared
   infrastructure that has enough collateral damage to force the
   infrastructure owner to stop providing hosting or directory services

What are the design criteria for a world-wide information network that
can resist these forms of pressure? In other words, given their own
laptop and a reliable source of energy, how can individuals create a
truly global P2P information infrastructure independent of government or
business influence? (And things like Tor are a red herring here…the
point is to be totally divorced from running on top of existing Internet
infrastructure). Yes, this raises all sorts of security issues dealing
with namespace control and issues about capacity and DoS…but
it seems like an interesting thought experiment.

http://arstechnica.com/tech-policy/news/2010/12/wheres-wikileaks-the-infowar-is-on-as-site-hops-servers.ars

http://chronicle.com/article/Chapel-Hill-Researcher-Fights/124821/

The article is fairly sympathetic to her (Bonnie C. Yankaskas, Ph.D.) plight; if those are substantially the facts as reported, this looks like an administration undertaking C-Y-A security measures.

Can a non-specialist, even as PI of the project, be blamed for not following “best practices” when most best practices are (1) ill-defined and (2) worthless against skilled attackers?

If I were a CISO, persecution is _exactly_ the wrong way to go about convincing people about the importance of protecting PII. Quick everybody, break out your snake oil…the people at UNC will shortly be buying.

Threats to privacy exist in a number of forms. What is interesting about the following case is that the government is using the prosecution of someone who is probably guilty of breaking drug laws as a vehicle to expand its surveillance powers over law-abiding citizens. This is akin to the story of the motorcyclist in Maryland who was charged with wiretapping the police that pulled him over simply because he had a helmet cam. If the government can’t tolerate being observed, taped, recorded, and tracked, than why should citizens? Is not the citizen supreme? Doesn’t the government exist to serve the citizen, not the other way around?

http://www.time.com/time/nation/article/0,8599,2013150,00.html?hpt=T2 (Time.com)

It seems like we’ve reached a state in the US where the value proposition of living in a “free” republic has become less meaningful. Four hundred years ago, European settlers were quite willing to live on the frontier, braving the dangers that come with little or no infrastructure in return for the freedom of self-determination. In contrast, modern America seems to have become addicted to too many comforts; in the course of “outsourcing” the maintenance of law and order (so that we can continue ordering Starbucks, sending Tweets, and watching American Idol), we’ve given away extraordinary powers to those “security” institutions.

And here is the irony of it all — these institutions, faced with solving an impossible problem (the security and safety of every citizen) continually request (or seize) even more power, justifying said initiatives by claiming they need yet another power to keep us safe. This gradual process inexorably ends in a police state: there is no other social attractor at the end of this particular road. Only a determined and vigilant effort at reducing the size and scope of government power can combat this tendency. It likely takes civic leaders willing to assume a short, unspectacular political career: they come in, fix the problem, upset some portion of the electorate, and subsequently get voted out.

I was recently cited, among others (including Sal Stolfo and Chris Kruegel), for a Politifact article by Lukas Pleva on whether it was possible for private industry to shut down the Internet as a protection measure during some large-scale cyber attack with or without some form of government involvement:

The article is here:
Glenn Beck Host Says Obama May Soon Be Able to Shut Down the Internet

Although the folks cited in the article generally agree that the technical capability to do such a thing exists in the private sector, the experts question either the wisdom of such a move or the probability of such an action actually occurring without some form of high-level coordination between their corporate overlords and either the military or some civilian government agency.

The question of whether the government should have its hand on an Internet Kill Switch (this phrase itself smacks of hyperbole, and may be an overreaction or misrepresentation of the actual proposed legislation) has been raised largely due to provisions in recently proposed legislation, a previous version of which this blog has commented on before. This new round of media hysteria was prompted by Joe Lieberman’s resurrection of a similar, but more measured (by some accounts) idea. Schneier recently blogged about his take on this whole controversy.

Both obvious and subtle questions exist here, including:

1. What does “shut down” mean?
2. How complete would this shutdown be?
3. Is it desirable to shut down the Internet during a cyber attack?
4. Is it technically possible to do so?
5. Is it administratively or politically possible to do so?
6. Do private Tier 1 ISPs need either government permission or {techincal, logistical, communications} assistance to unplug?
7. How fast can this shutdown event take place?
8. Where should ultimate authority for such a move rest?
9. Under what conditions do we plug back in?
10. Are there alternatives?

We’ll try to deal with these below one at a time. Briefly, the answer depends on what type of threat it is, what “shutting down” the Internet means, and whether we distinguish between an administrative decision to shutdown versus a technical action to accomplish or realize this shutdown.

Disclaimer: There are only a few folks on the planet who fully understand the subtleties of controlling BGP and interdomain routing and working with it on a daily basis; I don’t pretend to be one of them. I’ve studied the basics of Internet routing along with academic research on routing security issues, but I’m willing to take correction or feedback if I’ve gotten something wrong.

1. What Do You Mean by “Shutdown”?

This term may entail a different series of actions and events to different people. I take this term to mean to termination of layer 3 (e.g., IP) connectivity and the termination of the BGP routes between major U.S. & North American ISPs and the rest of the world. Such a termination in connectivity could be accomplished in any number of ways (some of which are more realistic than others), such as (1) physically unplugging or severing border router links, cables, and fiber, (2) setting up traffic filters on border routers using their installed software (e.g., using IOS)…such a step is quite similar to setting up “firewall” rules for network packet filters like BSD pf or Linux iptables/netfilter, (3) stop announcing BGP routes or issue BGP route withdrawal messages, (4) setting a pack of rabid backhoes loose near network POPs and peering points.

“Shutdown” could also entail the activation of a large number of network filters looking for certain flows, content, or source addresses, networks, or routing prefixes (in the core, these are essentially the same data). These filters would have the effect of limiting traffic from flowing without completely disconnecting machinery or routing paths or implying some type of shut off or power outage.

2. How Complete Would the Shutdown Be?

There are private-sector companies (i.e., large Internet Service Providers or ISPs) that control much of the core Internet infrastructure (e.g., interdomain routing and DNS) that could shut down this infrastructure (i.e., the servers running these protocols) during some kind of global conflict. While it is true that there are a large number of ISPs, only a few really big players exist, and if they decide to terminate connectivity, this action would involve a large chunk of the network. Such an action by “US-friendly companies” would take large sections of the US and some other countries offline (the US serves as a transit network for a lot of worldwide traffice simply because many types of communications lines pass through us).

Such a shutdown would necessarily be incomplete. The Internet was designed by DARPA-funded scientists to be resilient even in the face of widespread nuclear attack. Taking the US routing infrastructure offline would still leave the rest of the world connected, and after a period of a few minutes for routers to reconfigure routes, the rest of the world would be exchanging traffic (probably more slowly, since the US contains a lot of high-speed links), but connected nonetheless (modulo some specific unreachable destinations simply due to how the physical and virtual infrastructure are connected). Many smaller regional ISPs have peering agreements and relationships that would still enable some traffic to flow, albeit more slowly (or possibly not very widely).

The bottom line is that no single company (or government) has the ability to shut off the Internet as a whole, but a small number of companies could disconnect large segments of it if they both chose and agreed to do so (which entails some administrative oversight giving permission to such a drastic change, since ISPs are paid to route traffic: no packets moving, no money).

3. Do We Want to Shutdown?

I think legitimate concerns exist as to whether a shutdown provides the right response in any reasonable case. While we have been conditioned by certain software practices that a reboot or reinstall is the standard way of getting back to a known good state, terminating the global instance of BGP (or a large portion thereof) represents a risky (albeit fascinating) and uncontrolled experiment.

Also, in most cases, eliminating this infrastructure would be the absolute worst course of action system defenders could take, as it greatly reduces communications (email, VoIP, social networking) that defenders require to coordinate against a large-scale threat. Even in the most dire of circumstances (i.e., whatever movie-plot scenario one might imagine), such action really isn’t an option — there are many ways to filter or reduce certain types of traffic that would be much more effective than simply severing links.

4. Is it Technically Straightforward to Accomplish This Shutdown?

I claim that it is technically “trivial” to shut down the US part of the Internet. Private-sector companies run this infrastructure, and their network operators have the skill and knowledge to configure it. In fact, accidental misconfigurations that severly disrupt connectivity occur quite often due to simple human error; see, for example, the AS7007 incident. One need not ask the US government for a technical aid to the shutdown process. This process should be as simple as pressing the right buttons — although I don’t know if these technicians actually practice such a maneuver or plan for it. Even if they do, I take it as given that they might make mistakes in the heat of the moment.

5. Is it Administratively or Politically Straightforward to Do So?

I’d say “no” and give as evidence the furor over this topic. I think that the political world tends to view the Internet as akin to any other piece of infrastructure (roads, water system, electrical grid), and I doubt that analogy provides a serviceable one. In the case of an Internet-scale attack on US information infrastructure, I don’t think that the conditions for the President to request a shutdown are clear or at all well-understood: the administration would almost certainly require private-sector analysis to inform its opinion. Furthermore, from a technical standpoint, this is the “nuclear” option, and we have no technology that tells us “how bad” a cyberattack actually is: are we being tickled with a feather, walloped by an anvil, or smacked on the backside with a plastic shovel? A misjudgment and overreaction here could be a cure much worse than the (misdiagnosed) disease.

6. Do Tier 1 ISPs Require Corporate, Political, or Military Involvement?

This answer depends on the definition of “involvement.” Much of the argument on this topic has been phrased in absolute terms: an administration would have sole command authority to issue an “Internet Kill” order. While government has not restrained itself from overreaching in the technical sphere before (see, for example, the downsides of CALEA and its invasion of the academic sphere), I doubt that political authority over the Internet would really assume this kind of authoritarian form (my personal politics make me extremely uncomfortable with this level of government control, so perhaps this is wildly optimistic thinking on my part). I don’t think that the government would either command or require ISPs to seek permission to enact large-scale filtering.

Nor do I think that ISPs would need a government whip to work together. Although ISPs compete with each other in a number of dimensions, and policy dictates the actual routing, ISPs also peer with each other and cooperate on a range of issues.

I don’t think that the ISPs need government assistance in terms of logistics; there is no need for the government to setup a hotline, website, or working groups, committees, panels, etc. to help ISPs talk with each other during such an emergency. Such communication could happen over the channels that ISPs already have established (some of these are informal contacts such as network operators sharing cell phone information) for Internet-scale emergencies (these happen regularly due to simple misconfiguration or failure of physical infrastructure).

In fact, the relationship is almost exactly the other way around: government requires industry assistance in terms of information, data, and analysis in case of such an event.

I do, however, concur that some part of the government would want to be in the decision loop for taking such a drastic step. They may not actually give the go-ahead or command that it be done, but I suspect that they’d want veto power or at least a warning that the business community was about to do this. This organ might be DHS, DOD, DNI, Interior, Commerce, NSA, or some other agency…I doubt the government has a coordinated plan or point of contact for such events (which I suspect was the intent behind the relevant clauses in the Rockafeller-Snowe bill to enable the executive branch to make such a call). I see this legislative attempt as a symptom of a government/administration that is on the verge of “getting it” in terms of the importance of critical information infrastructure, even if the expression of this awareness is to introduce clarity in the form of additional executive branch power over private commerce.

7. How Fast Could the Shutdown Take Place?

Network operators — the actual technicians in charge of routers and other network equipment — are a small, fairly tight-knit community. Even though these engineers work for many different companies, they (at least those working for the major players or Tier 1 ISPs) know each other quite well, and NANOG holds regular meetings. Informal cooperation happens all the time. I expect that in an Internet-scale emergency (as there have been in the past), this community would be in touch with each other quite quickly: so it is conceivable that they could coordinate a response to a major event and terminate basic connectivity within a matter of hours or minutes. Such a move would probably require some cooperation and coordination from both the political/military world as well as corporate approval. I assume that some minimal coordination happens before admins start typing at keyboards…but in a flat-out emergency, shutting off network interfaces can be accomplished very quickly.

Once either corporate leaders (alone or in consultation with civilian or military leaders) reach a decision, the technical difficulty of shutting down routers and other networking equipment can be accomplished within a few minutes. The bulk of any delay in reducing connectivity almost certainly rests in the human and policy decisions necessary to give the green light to such activity. I suspect that Tier 1 ISPs have some business process (independent of government regulation or cooperation) that requires VP or Director-level permission to execute such an action.

Where Should Ultimate Authority for Such a Move Rest?

This is the whole point, isn’t it? The answer depends on your politics. From a technical perspective, this is the difference between “policy” and “mechanism.” The mechanism is in place and sits almost entirely in private hands. The policy is distributed across the private and public sector, and I’m willing to believe that factions exist in both spheres that respectively (1) want and (2) abhor the responsibility for making such a call.

Under What Conditions Do We Plug Back In?

I see this question as more important than the others. Pulling the plug is a decision made under a certain set of circumstances and with a certain set of criteria in mind; have the politicians planned for when it will again be “safe” to plug back into the Internet? How will they know for sure? Do they realize that the Internet is already a very loud and risky battleground, and that we run this risk every day? Should all commerce, community, and information exchange grind to a halt simply because a few politicians and White House advisors got a bit nervous during a particularly loud cyberattack? Can the US financial markets and other information infrastructure be offline for extended periods of time?

This question highlights how (from a technical perspective) the issue of an Internet kill switch (either public or private) seems a bit nonsensical: it is overkill and almost certainly something likely to be used in a knee-jerk fashion with no thought for the recovery complexity. There is probably a good analogy to be made here that illustrates the self-defeating futility of disconnection, but I can’t think of one at the moment.

What Are the Alternatives?

The deployment of “reasonable” alternative defenses or reactions differs based on what type of attack we have to consider. Companies (including large ISPs, but also your “average” Fortune 500) have a variety of other internal defense mechanisms against cyberattack (coordinated or otherwise), but the efficacy of these mechanisms varies widely, and the effect is almost always local or limited to their own network infrastructure.

More Resources

For understanding interdomain routing, a good place to start is Tim Griffin’s page. You can move on to JI’s Fall 2002 Internet Routing course at Columbia and then Radia Perlman’s Interconnection’s book.

The company Renesys also provides deep, wide analysis of Internet-scale phenomena and conditions. At least in the public world, they have no serious competitor.

[Updated 15 July to point to Schneier's blog post. -Ed.]

I recently spent 11 days in Hanover, NH at Dartmouth College leading the SISMAT (Secure Information Systems Mentoring and Training) summer seminar. This seminar is one part of a comprehensive training, job, and research program for undergraduates. Students go on to an internship in information security and then a follow-on research project at their home institution under the guidance of a local faculty mentor and with occasional advice and support from us.

This year was the third year of SISMAT. Sergey and I refreshed the curriculum and implemented some changes inspired by the “failure modes” learning pattern we (inadvertently) discovered during last year’s seminar (as described in our March SIGCSE paper).

Briefly, the failure modes philosophy holds that students learn topics (e.g., networks) more naturally by observing the interplay in failures of a system (e.g., at layer 2 and layer 3 when certain services or connectivity don’t exist). This learning style seems more informative than just hitting students with the standard code pattern for opening a socket in C or Java. We tried to apply this principle (along with some other Hacker Curriculum principles) to other areas of the craft, including hands-on exercises with Web application vulnerabilities, disassembling various pieces of shellcode, and analyzing the detritus of a real intrusion.

SISMAT is always a lot of fun, and this year we had a great group of lively and talented students who are now well on their way to becoming (ethical) hackers. So far we’ve had 23 students go through the program, and we’ve had about a dozen faculty mentors from these students’ home institutions. We’re in the process of tracing how their projects and future careers have gone.

With severely limited funding for innovative cybersecurity education programs, we’re happy to do our part to fulfilling the need for well-educated information assurance professionals (and we’re grateful to the organizations that have funded us so far). It’s too bad that the prevailing opinion is that nothing fundamental or innovative could possibly happen in the education space: basic research into techniques, mechanisms, and systems is valued much more than actually producing well-educated cybersecurity professionals.

Today there was a meaty post (on the longish side, but worth it) on the DailyDave mailing list about ethical disclosure of vulnerabilities with respect to a recent Microsoft vulnerability.

http://lists.immunitysec.com/pipermail/dailydave/2010-June/006130.html

Juicy tidbit:

“So since most researchers in the security community
have had their spines and sense of justice/fairness contractually
removed by their respective employers, I’d like to comment on some of
these topics. The purpose of my mail is to call out (by name) the
individuals, “journalists”, and companies that manufactured the
controversy for their own benefit.”

There seems to be powerful motivations from both companies and “news”-hungry journalists and bloggers to spin tech events any way they want them. Besides the main point about curtailing the motivation for ethical vulnerability research, I suppose this episode serves as a cautionary tale in terms of the credibility of the “new media.”

Intelligent comments desired:

http://cybersecurity.nitrd.gov/

http://www.whitehouse.gov/blog/2010/05/19/help-change-game-cybersecurity