New Paris Cyber-Accord: Nice words. What comes next?

The accord and Macron’s words are a bit “aspirational”.

Recently France has taken the initiative to produce what they call The Paris Call for Trust and Security.  This call has garnered signatures of  some 57 countries and and several hundred companies and organizations (including that of my own employer).*  What President Macron and others have recognized is that there is a risk of both state and non-state actors interfering in the lives of  everyday people, possibly causing them great harm.

Every day provides a new example of why protection of our institutions is necessary.  This video was made some time ago.  We’d like to think that security of our infrastructure has improved, but Marriott proved us wrong last week, with over half a billion customer records having been stolen.

The Paris Call seems to address itself to these sorts of civilian attacks, which to me is appropriate. In particular, it focuses on the following areas (I’m condensing just a bit):

  • Protection of critical infrastructure,
  • Protection of electoral processes (Gee, I wonder who that is aimed at),
  • IPR protection,
  • Tools development to prevent the spread of malware,
  • No hack-backs, where people attempt to take the offense as a either a defense or a means of deterrence,
  • Acceptance of international norms of behavior.

The Call does not create or call for the creation of any new mechanism to pursue these points, but rather the use of existing mechanisms.  Instead, what we appear to be witnessing is the creation of a voting bloc inside existing multilateral and multi-stakeholder processes, as well as a non-binding commitment among the signatories themselves to pursue these principles.  It’s all motherhood and apple pie until we understand what the actual instantiation of these principles means.  Does it mean, for instance, an end of free software in order to protect content providers?  Will it require content publishers to actively protect all rights of copyright holders, even if those holders are unknown?

Also, should these principles apply equally to civilians and the military ?  Let’s take for example the Stuxnet attack, where some state actor attacked Iran’s nuclear weapons facility.  Should that attack have been prevented by these principles?  To what end?  Helping Iran gain an offensive nuclear capability?  If the choice was a cyberattack against a military installation versus a physical attack, where people would surely die, I’ll take the cyber attack any time.

There is another big topic that isn’t covered.  Right now governments are all struggling with how to handle cross-border law enforcement.  That is- if someone in Jurisdiction A hacks into or uses a computer in Jurisdiction B to attack a person in a third Jurisdiction C,  who can reasonably ask Jurisdiction B for the data?  This is a massive topic that the Council of Europe has been attempting to address for years.  These are knotty issues, because of the limitations on the powers of each country relating to search and seizure.

In short, while this is nice text, it doesn’t seem to me to accomplish much on its own. 

It does seem to be a slap at Russia and China, two  notably absent countries.  Three other notably absent countries are the U.S., Israel, and Iran.  Coincidence?  I think not.


*The views of my employer surely vary from my own today.

Internet Balkanization is here already, Mr. Schmidt.


In the technical community we like to say that the Internet is a network of networks, and that each network is independently operated and controlled. That may be true in some technical sense, but it far from the pragmatic truth.

By ProjectManhattan – Own work, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=39714913

Today’s New York Times contains an editorial that supports former Google CEO Eric Schmidt’s view that the Internet will balkanize into two – one centered around US/Western values and one around values of China, and indeed it goes farther, to state that there will be three large Internets, where Europe has its own center.

The fact is that this is the world in which we already live.  It is well known that China already has its own Internet, in which all applications can be spied by the government.  With the advent of the GDPR, those of us in Europe have been cut off from a number of non-European web sites because they refuse to comply with Europe’s privacy regulations.  For example, I cannot read the Los Angeles Times from Switzerland.  I get this lovely message:

Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.

And then there are other mini-Internets, such as that of Iran, in which they have attempted to establish their own borders, not only to preserve their culture, but also their security, at least in their view, thanks to such attacks as Stuxnet.

If China can make its own rules, and Europe can establish its own rules, and the U.S. has its own rules, and Iran has its own rules, can we really say that there is a single Internet today?  And how many more Internets will there be tomorrow?

The trend is troubling. 

We Internet geeks also like to highlight The Network Effect, in which the value of the network to each individual increases based on the number of network participants, an effect first observed with telephone networks.  There is a risk that it can operate in reverse: each time the network bifurcates, its value to each participant decreases because of the loss of the participants who are now on separate networks.

Ironically, the capabilities found in China’s network may be very appealing to other countries such as Iran and Saudi Arabia, just as shared values around the needs of law enforcement had previously meant that a single set of lawful intercept capabilities exists in most telecommunications equipment.  This latter example reflected shared societal values of the time.

If you believe that the Internet is a good thing on the whole, then a single Internet is therefore preferable to many bifurcated Internets.  But that value is, at least for the moment, losing to the divergent views that we see reflected in the isolationist policies of the United States, the unilateral policies of Europe, BREXIT, and of course China.  Unless and until the economic effects of the Reverse Network Effect are felt, there is no economic incentive for governments to change their direction.

But be careful.  A new consensus may be forming that some might not like: a number of countries seemingly led by Australia are seeking ways to gain access to personal devices such as iPhones for purposes of law enforcement, with or without strong technical protections.  Do you want to be on that Internet, and perhaps as  importantly, will you have a choice?   Perhaps there will eventually be one Internet, and we may not like it.

One thing is certain: I probably won’t be reading the LA Times any time soon.

My views do not necessarily represent those of my employer.


Are the Chinese infecting hardware? Someone is lying

Bloomberg has reported that a company, Supre Micro, Inc., has had their hardware hacked, maybe with the knowledge or encouragement of the Chinese government. Impacted customers reportedly include Apple Computer and Amazon, who may have had their data centers compromised.  Apple, Amazon, and Super Micro Inc have all issued strong denials.

The attack as described involves a tiny chip being surreptitiously inserted on the board of one of Super Micro Inc’s suppliers.  According to the report, the chip could insert code that would allow for malware to be installed.  We’ll come back to how to address that attack at a later date.

While this attack is at least feasible in theory, and while it is possible for vendors to keep a secret, and indeed it has enraged many people in the past that a bunch of vendors have kept secrets for quite a while, here we have a report where we have denials all around, and yet we have a somewhat detailed description of the attack.  There are only three possibilities:

  1. The reporters and their sources are accurate; in which case there is a MASSIVE conspiracy that includes Apple and Amazon, not to mention government officials.
  2. The reporters are wrong, and have been fed corroborated yet false information by government sources.
  3. The reporters are fabricating a story.

An existence proof – one board – would suffice to show that (1) is true.  Proving (2) would be quite difficult without recorded conversations of confidential sources.  (3) is also difficult to prove.

Let’s hope the reporters are fabricating the story, because the alternatives are far worse.  If the reporters are accurate, we either have vendors standing on their heads or government sources  feeding media a pack of lies.  Furthermore, although China has broken into the computers of adversaries in the past, it would be particularly bad for false accusations to circulate that could later be used to discredit or tarnish those that are true.

More to come.

Where a bad review really makes for poor security

Releasing unstable software harms cybersecurity for everyone, not just those who install the product.

Most consumers do not take the time to upgrade their devices simply because vendors want them to: there has to be something in it for me.  Apple, on the other hand, has been an exception.  Studies have repeatedly shown that Apple users do regularly upgrade their phones.  Just one month after release, their latest version was installed on 52% of their devices.  By comparison, summing all Android releases from 2015 to present gets you that same number, with the latest releases coming in around 20% of the total.

This becomes a Big Deal when we start talking about vulnerabilities, and zero-day exploits.  If there is a bug in your device and it is running an older version of the code, and you do not update, then that device can be used to attack you or someone else.  This is something that Microsoft learned the hard way in the last decade when it snuck in extra software in a security update, losing trust and confidence and willingness of their users.

In his review, Gordon Kelly has told his Forbes readers not to upgrade to the latest Apple iOS release precisely because it may be too risky, that the release itself was rushed.  When considering release timing, any vendor always has to balance stability and testing against other feature availability and security.  Apple may well have gotten the balance wrong this time.  The review in and of itself harms cybersecurity, not because the reviewer is wrong, but because the result will be that fewer people will have corrected whatever vulnerabilities exist in the release (as of this writing information about what is fixed hasn’t been disclosed).  Moreover, such reviews reinforce a bad behavior- to delay upgrading.  I call it a bad behavior because it puts others at risk.

This isn’t something that can be fixed with a magic wand.  We certainly cannot fault Mr. Kelly for publishing his analysis and recommendations.  If we wait for perfect security, we will never see another feature release.  On the other hand, if things get too rushed, we see such bad reviews.  Perhaps this argues that O/S vendors like Apple and Google should continue to provide security-only releases that overlap their major releases, at least until they are stable, which is what other vendors such as Microsoft and Cisco do.  It costs money and people to support multiple releases, but it might be the right thing to do for the billions of devices that are each and every one a point of attack.

Ain’t No Perfect. That’s why we need network protection.

If Apple can blow it, so too can the rest of us. That’s why a layered defensive approach is necessary.

When we talk about secure platforms, there is one name that has always risen to the top: Apple.  Apple’s business model for iOS has been repeatedly demonstrated to provide superior security results over its competitors.  In fact, Apple’s security model is so good that governments feel threatened enough by it that we have had repeated calls for some form of back door into their phones and tablets.  CEO Tim Cook has repeatedly taken the stage to argue for such strong protection, and indeed I personally have  friends who I know take this stuff so seriously that they lose sleep over some of the design choices that are made.

And yet this last week, we learned of a vulnerability that was as easy to exploit as to type “root” twice in order to gain privileged access.

Wait what?

 

Wait. What?

 

 

Ain’t no perfect.

If the best and the brightest of the industry can occasionally have a flub like this, what about the rest of us?  I recently installed a single sign-on package from Ping Identity, a company whose job it is to provide secure access.  This simple application that generates cryptographically generated sequences of numbers to be used as passwords is over 70 megabytes, and includes a complex Java runtime environment (JRE).  How many bugs remain hidden in those hundreds of thousands of lines of code?

Now enter the Internet of Things, where manufacturers of devices that have not traditionally been connected to the network have not been expert at security for decades.  What sort of problems lurk in each and every one of those devices?

It is simply not possible to assure perfect security, and because computers are designed by imperfect humans, all these devices are imperfect.  Even devices that we believe are secure today will have vulnerabilities exposed in the future.  This is one of the reasons why the network needs to play a role.

The network stands between you and attackers, even when devices have vulnerabilities.  The network is best in a position to protect your devices when it knows what sort of access a device needs to operate properly.  That’s your washing machine.  But even for your laptop, where you might want to access whatever you want to access, whenever you want to access it, through whatever system you wish to use, informing the network makes it possible to stop all communications that you don’t want.  To be sure, endpoint manufacturers should not rely solely on network protection.  Devices should be built with as much protection as is practicable and affordable.  The network provides an additional layer of protection.

Endpoint manufacturers thus far have not done a good job in making use of the network for protection.  That requires a serious rethink, and Apple is the posture child as to why.  They are the best and the brightest, and they got it wrong this time.