Social Contracts on Internet Security

Everyone and I mean EVERYONE tells you that the best thing you can do for yourself and others if you have a Windows system on the Internet is to run anti-virus software, and keep your patches current.  Otherwise your system can be a nuisance to others, as it is broken into and used as a bot to attack others.

That doesn’t work so well when the anti-virus software causes the user problems.  These systems take a performance hit, that is for sure.  But they can have bugs as well, as this page from McAfee  demonstrates.  What has happened here is that a program called “McScript_InUse.exe” has gone crazy, pegging the system’s CPU.  Not only does this kill performance of every other application on a system, but it can have an impact on your energy bill, because a 100% used CPU means that it will run faster with more fans on and more cooling required.

McAfee cannot be condemned for having bugs in their software, even though it is ironic that they exist in large part because Microsoft Windows has bugs that are taken advantage of.  It never-the-less brings up the question of whether such active scanning technology is the right approach, or whether we have to do better at providing better underlying security.  The extreme version of this would be provably secure programming, a field in which Dr. Gene Spafford (a network legend) has devoted his career.

In the meantime, however, we have to hold McAfee to a higher standard, just as we should Microsoft.  When people believe that they will be harmed by the very software that is meant to protect them and others, especially when the more negative consequences impact others, they will not upgrade.  We discussed this with the ETH Study, some time ago, and now we can expect additional consequences.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Obama v. McCain: Foreign Policy

How the United States deals with the world around us has been the principal province of the president, for as long as there has been a U.S.  It is an area in which most presidents learn it on the job, as was the case for Presidents Reagan & Clinton.  In other circumstances, presidents bring a strong policy background to the job, such as was the case with President George H. W. Bush.  (His son, President Bush, doesn’t seem to have learned anything, not really having understood anything prior to having taken office.)

Senator Barack Obama is only a little older than me.  Neither of us can seriously have understood at the time all of the implications of the Vietnam War, but both of us became well enough aware of the world around us to understand what was happening during the Carter administration (he might have even gotten it during the Ford administration).  He has spent some of his life outside of the United States, and he has spent some of his life in the time of the Cold War.

Senator John McCain is of a different era.  His views are informed by his having served in the Vietnam War and been captured and held by the Vietcong.  There are few people on earth who can relate to his nearly unique experiences.  McCain spent most of his life with the Cold War, and he was born outside of the United States.

Both of these men have interesting perspectives on foreign policy, but to be sure John McCain has been there a whole lot longer.  Which positions should we judge?  My own areas of interest revolve around the reconstituted Soviet Union, how we handle the Middle East, and how we engage the developing world.  I am also interested in continued development of international relationships to reduce cybercrime and cyber-terrorism.  As an expatriate foreign policy probably impacts me more than domestic policy, which is why it’s up front next to education.  But these days that should be the case with more Americans.  Our new found isolation in the world has empowered bad actors, like Hugo Chavez.

Senator McCain has been a strong proponent of America following international law and norms.  As a former prisoner he saw what happened personally when those norms weren’t followed.  The senator has always expressed strong concern about the way the Bush Administration treated detainees in Guantanamo Bay, and advanced legislation against such reckless behavior.

Senator McCain supported former Secretary of Defense Donald Rumsfeld and President Bush on both their decision to go to war and initial tactics.  This to me represents a remarkable failure on his part, because Mr. Rumsfeld failed to ask the very question that most foreign policy experts would ask: what happens after you invade?  We take over and then what?  The departure from the Powell Doctrine of overwhelming force to “shock and awe” only worked until the shock and awe wore off, if it worked at all.  The actual justification for the war is now thoroughly debunked, and the next president will have to clean up this president’s mess.

Senator McCain has been very vocal about Russia’s invasion of Georgia.  Here I am entire agreement with him, and I would perhaps have gone farther.  Russia has for years lost its luster to me, and the current president has lied – repeatedly – about Russia’s intent.  It’s all about reasserting Russia’s position as a super-power, taking control of her oil, and using economics as a policy weapon against the west.  As I wrote previously, we brought this on ourselves.  McCain has been there early on, as it is in his nature to address such threats.

Senator Obama has made statements to the same effect as of late, but has otherwise taken a less prominent stance.  Sometimes that’s not a bad thing.  If the current president plays “bad cop” in some way in the near future, Senator McCain will be left with fewer options than Senator Obama in January.  The reverse is also true.  President Bush can use the McCain’s stridency to say, “This is who you get later if you don’t solve the problem to my satisfaction.”  It’s right out of a West Wing Episode, and arguably out of the Iran Hostages playbook, where Iran resolved the matter the moment Ronald Reagan took office.

John McCain has also stated his preference for ending sugar, oil, and ethanol subsidies as part of his education plan.  Were those subsidies tied to quality standards I might have more sympathy for them, as I did with the Swiss.  Absent those, the American way of life is not on the line, and it would seem that commodity prices are doing just fine on their own at the moment, and so it’s free money to remove those subsidies.

Senator Obama is not without his own touch on foregin policy.  In 2006 he sponsored a bill that eventually became law to stablize the Congo.  He has stated that he is willing to meet with leaders of countries that we don’t especially love, like Cuba, North Korea, and Iran.  He has been extremely cagy about the terms of such meetings and he has parsed his words carefully since.  Normally such parsing drives me CRAZY, reminding me to look up what the definition of is is.  The art of foreign policy, however, is talking out of both sides of one’s mouth.  Senator McCain and our current president don’t do this, so far as I can tell.

And the Winner is…

While I find John McCain’s views on Iraq far from my own, his views on Russia seem to be more aligned than those of Barack Obama, and there can be no doubt as to who has more experience. Obama has nowhere near the amount of experience of his opponent, but he did get Iraq right, and he probably has a good handle on Africa.  Still I do not agree with his willingness to meet with just any ole dictator.

Today both candidates get passing grades on foreign policy, with McCain getting about a 80/100 and perhaps Obama getting 75.  So let’s give this round to McCain.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Why Extradition of Hackers Is Important

Each day we hear about different forms of fraud and theft on the Internet.  Someone in America gets phished from a computer in the UK that is controlled by another computer in Switzerland, that is controlled by an individual in Italy, and their bank account emptied to a mule in America, and the money ends up with some gang in Russia.

Even if you found the individual in Italy you have to answer this question: where was the crime committed?  The Convention on Cybercrime of the Council of Europe addresses this very question, and fosters cooperation amongst  cooperating societies.  Extradition is so rare that it is worth pointing out when it happens.  On the 30th of July a UK Court refused to block extradition to someone who is accused of having caused many hundreds of thousands of dollars to US government systems.  While in this case the government was a victim, something that happens all too often, far more often it’s individuals who are harmed.  In this case the person sounds a bit disturbed. Let’s hope that next time they extradite people who do this sort of thing to make money, and demonstrate to them that it is not worth the risk.

Because the risk of getting caught is so small, this is an instant where the penalties should be very high when intent on theft, fraud, or disruption of services is clearly evident.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Off to Dublin (well sort of)!

Today, the Internet Engineering Task Force begins its 72nd in person meeting.  The IETF as it is known is a standards organization that primarily focuses on, well, the Internet.  The work done in this body has included Multimedia Internet Mail Extensions, Internet Calendaring, Voice over IP, and many others.  Not all work done by the IETF has worked out.  An effort I worked on some time ago weeded out the stuff that either was never used or is no longer used.  One of the key areas that any standards organization struggles with is how much potentially useful stuff to let through versus sure bets.  Sure bets are those things where a necessary improvement or change is obvious to a casual observer.  The people who make those changes are not the ones with imagination.

It’s the people who use their imaginations who make the bucks.  Always has been.  The problem is that there are a lot of people who may have good imaginations, but are unable to convert a good idea into something that can be broadly adopted.  This is a problem for a standards organization because each standard takes time and effort to develop, and each failed standard diminishes confidence in the organization’s overall ability to produce good stuff.

On the whole the IETF has done demonstrably well, as demonstrated by the vast amount of money organizations have poured into personal attendance at the in person conferences, even though no attendance is required to participate.

This summer’s conference is being held in Dublin City West at a golf resort, a bit away from the major attractions.  There are two benefit of this: first the cost isn’t absolutely outrageous.  Second, if people know they the attractions are a bit far off, then fewer tourists will come.  I actually don’t mind the idea of an IETF in Buffalo in the winter, but I may be taking things a bit too far.

Among the many discussions that will take place at this conference include one about what to do about email whose domain cannot be ascertained to have authorized its release.  The standard in question that identifies email is called Domain Keys Identified Mail (DKIM), and is relatively new.  What to do, however, when DKIM is not employed or if the signature sent is broken in some way?  This is the province of a work called Author Domain Sender Policies (ADSP).  The specification provides a means for sending domains to communicate their intentions.  After a year of arguments we hope to have a standard.  Whether it proves useful or not will only be shown by the test of time.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]

Perhaps I Was Right, Long Ago

Source: Computer History Museum

We are running out of addresses for the current version of the Internet Protocol, IPv4.  That protocol allows us to have 2^32 devices (about 4 billion systems minus the overhead used to aggregate devices into networks) connected to the network simultaneously, plus whatever other systems are connected via network address translators (NATs).  In practical terms it means that the United States, Europe, and certain other countries have been able to all but saturate their markets with the Internet while developing countries have been left out in the cold.

Long ago we recognized that we would eventually run out of IP addresses.  The Internet Engineering Task Force (IETF) began discussing this problem as far back as 1990.  The results of those discussions was a standardization that brought us IP version 6.  IPv6 quadrupled the address size so that there is for all practical purposes an infinite amount of space.  The problem is IPv6’s acceptance remains very low.

While IPv6 is deployed in Japan, Korea, and China, its acceptance in the U.S., Europe, and elsewhere has been very poor.  It is not the perfect standard.  ALL it does is create a larger address space.  It does not fix routing scalability problems and it does not make our networks more secure.  No packet format would fix either of those problems.

One of the reasons that IPv6 is not well accepted is that it requires an upgrade to the infrastructure.  Anything that uses an IPv4 address must be taught to use an IPv6 address.  That is an expensive proposition.  IP addresses exist not only in the computer you’re using right now, but in the router that connects your computer, perhaps in your iPhone (if you are a Believer), in power distribution systems, medical systems, your DMV, and in military systems, just to name a few.  Changing all of that is a pain.

Back around 1990, I had posited a different approach.  Within IPv4 there is an address block 240.0.0.0/4 (16 /8 blocks).  What if one could continue to use normal IPv4 address space, but when needed, if the first four bytes of the IPv4 address space contained addresses from that reserved block, one would read the next four bytes as address as well?  View that block, if you will, as an area code, and everyone would have one.  That would mean that you would only need it if you were contacting someone not in your area code.  It would also mean that eventually we would have increased the address space by the size of a factor of 2^28.  That’s a big number, and it probably would have sufficed.

Even after these addresses became prevelant, since devices would only need to use them if they were communicating outside their area code, it would mean they could be upgraded at a much slower pace.

The problem that people had with the idea the time was that the cost to implement this version of variable length addressing would have been high from a performance factor.  Today, routers used fixed length addresses and can parse them very quickly because of that.  But today that is only because they have been optomized for today’s world.  It might have been possible to optomized for this alternate reality, had it come to pass.

[del.icio.us] [Digg] [Facebook] [Reddit] [Twitter]