CRYPTO-GRAM

                  May 15, 2002

               by Bruce Schneier
                Founder and CTO
       Counterpane Internet Security, Inc.
            schneier@counterpane.com
          <http://www.counterpane.com>


A free monthly newsletter providing summaries, analyses, insights, and 
commentaries on computer security and cryptography.

Back issues are available at 
<http://www.counterpane.com/crypto-gram.html>.  To subscribe, visit 
<http://www.counterpane.com/crypto-gram.html> or send a blank message to 
crypto-gram-subscribe@chaparraltree.com.

Copyright (c) 2002 by Counterpane Internet Security, Inc.


** *** ***** ******* *********** *************

In this issue:
      Secrecy, Security, and Obscurity
      Crypto-Gram Reprints
      News
      Counterpane News
      Fun with Fingerprint Readers
      Comments from Readers


** *** ***** ******* *********** *************

       Secrecy, Security, and Obscurity



A basic rule of cryptography is to use published, public, algorithms and 
protocols.  This principle was first stated in 1883 by Auguste Kerckhoffs: 
in a well-designed cryptographic system, only the key needs to be secret; 
there should be no secrecy in the algorithm.  Modern cryptographers have 
embraced this principle, calling anything else "security by 
obscurity."  Any system that tries to keep its algorithms secret for 
security reasons is quickly dismissed by the community, and referred to as 
"snake oil" or even worse.  This is true for cryptography, but the general 
relationship between secrecy and security is more complicated than 
Kerckhoffs' Principle indicates.

The reasoning behind Kerckhoffs' Principle is compelling.  If the 
cryptographic algorithm must remain secret in order for the system to be 
secure, then the system is be less secure.  The system is less secure, 
because security is affected if the algorithm falls into enemy hands.  It's 
harder to set up different communications nets, because it would be 
necessary to change algorithms as well as keys.  The resultant system is 
more fragile, simply because there are more secrets that need to be 
kept.  In a well-designed system, only the key needs to be secret; in fact, 
everything else should be assumed to be public.  Or, to put it another way, 
if the algorithm or protocol or implementation needs to be kept secret, 
than it is really part of the key and should be treated as such.

Kerckhoffs' Principle doesn't speak to actual publication of the algorithms 
and protocols, just the requirement to make security independent of their 
secrecy.  In Kerckhoffs' day, there wasn't a large cryptographic community 
that could analyze and critique cryptographic systems, so there wasn't much 
benefit in publication.  Today, there is considerable benefit in 
publication, and there is even more benefit from using already published, 
already analyzed, designs of others.  Keeping these designs secret is 
needless obscurity.  Kerckhoffs' Principle says that there should be no 
security determent from publication; the modern cryptographic community 
demonstrates again and again that there is enormous benefit to publication.

The benefit is peer review.  Cryptography is hard, and almost all 
cryptographic systems are insecure.  It takes the cryptographic community, 
working over years, to properly vet a system.  Almost all secure 
cryptographic systems were developed with public and published algorithms 
and protocols.  I can't think of a single cryptographic system developed in 
secret that, when eventually disclosed to the public, didn't have flaws 
discovered by the cryptographic community.  And this includes the Skipjack 
algorithm and the Clipper protocol, both NSA-developed.

A corollary of Kerckhoffs' Principle is that the fewer secrets a system 
has, the more secure it is.  If the loss of any one secret causes the 
system to break, then the system with fewer secrets is necessarily more 
secure.  The more secrets a system has, the more fragile it is.  The fewer 
secrets, the more robust.

This rule generalizes to other types of systems, but it's not always easy 
to see how.  The fewer the secrets there are, the more secure the system 
is.  Unfortunately, it's not always obvious what secrets are 
required.  Does it make sense for airlines to publish the rules by which 
they decide which people to search when they board the aircraft?  Does it 
make sense for the military to publish its methodology for deciding where 
to place land mines?  Does it make sense for a company to publish its 
network topology, or its list of security devices, or the rule-sets for its 
firewalls?  Where is secrecy required for security, and where it is mere 
obscurity?

There is a continuum of secrecy requirements, and different systems fall in 
different places along this continuum.  Cryptography, because it of its 
mathematical nature, allows the designer to compress all the secrets 
required for security into a single key (or in some cases, multiple 
keys).  Other systems aren't so clean.  Airline security, for example, has 
dozens of potential secrets: how to get out on the tarmac, how to get into 
the cockpit, the design of the cockpit door, the procedures for passenger 
and luggage screening, the exact settings of the bomb-sniffing equipment, 
the autopilot software, etc.  The security of the airline system can be 
broken if any of these secrets are exposed.

This means that airline security is fragile.  One group of people knows how 
the cockpit door reinforcement was designed.  Another group has programmed 
screening criteria into the reservation system software.  Other groups 
designed the various equipment used to screen passengers.  And yet another 
group knows how to get onto the tarmac and take a wrench to the 
aircraft.  The system can be attacked through any of these ways.  But 
there's no obvious way to apply Kerckhoffs' Principle to airline security: 
there are just too many secrets and there's no way to compress them into a 
single "key."  This doesn't mean that it's impossible to secure an airline, 
only that it is more difficult.  And that fragility is an inherent property 
of airline security.

Other systems can be analyzed similarly.  Certainly the exact placement of 
land mines is part of the "key," and must be kept secret.  The algorithm 
used to place the mines is not secret to the same degree, but keeping it 
secret could add to security.  In a computer network, the exact firewall 
and IDS settings are more secret than the placement of those devices on the 
network, which is in turn more secret than the brand of devices 
used.  Network administrators will have to decide exactly what to keep 
secret and what to not worry about.  But the more secrets, the more 
difficult and fragile the security will be.

Kerckhoffs' Principle is just one half of the decision process.  Just 
because security does not require that something be kept secret, it doesn't 
mean that it is automatically smart to publicize it.  There are two 
characteristics that make publication so powerful in cryptography.  One, 
there is a large group of people who are capable and willing to evaluate 
cryptographic systems, and publishing is a way to harness the expertise of 
those people.  And two, there are others who need to build cryptographic 
systems and are on the same side, so everyone can learn from the mistakes 
of others.  If cryptography did not have these characteristics, there would 
be no benefit in publishing.

When making decisions about other security systems, it's important to look 
for these two characteristics.  Imagine a "panic button" in an airplane 
cockpit.  Assume that the system was designed so that its publication would 
not affect security.  Should the government publish it?  The answer depends 
on whether or not there is a public community of professionals who can 
critique the design of such panic buttons.  If there isn't, then there's no 
point in publishing.

Missile guidance algorithms is another example.  Would the government be 
better off publishing their algorithms for guiding missiles?  I believe the 
answer is no, because the system lacks the second characteristic 
above.  There isn't a large community of people who can benefit from the 
information, but there are potential enemies that could benefit from the 
information.  Therefore, it is better for the government to keep the 
information classified and only disclose it to those it believes should know.

Because the secrecy required for security are rarely black and while, 
publishing now becomes a security trade-off.  Does the security benefit of 
secrecy outweigh the benefits of publication?  It might not be easy to make 
the decision, but the decision is straightforward.  Historically, the NSA 
did not publish its cryptographic details -- not because their secrecy 
improved security, but because they did not want to give their 
Cold-War-world enemies the benefit of their expertise.

Kerckhoffs' Principle generalizes to the following design guideline: 
minimize the number of secrets in your security system.  To the extent that 
you can accomplish that, you increase the robustness of your security.  To 
the extent you can't, you increase its fragility.  Obscuring system details 
is a separate decision from making your system secure regardless of 
publication; it depends on the availability of a community that can 
evaluate those details and the relative communities of "good guys" and "bad 
guys" that can make use of those details to secure other systems.


Kerckhoffs' Paper (in French):
<http://www.cl.cam.ac.uk/~fapp2/kerckhoffs/la_cryptographie_militaire_i.htm>

Another essay along similar lines:
<http://online.securityfocus.com/columnists/80>


** *** ***** ******* *********** *************

             Crypto-Gram Reprints



Crypto-Gram is currently in its fifth year of publication.  Back issues 
cover a variety of security-related topics, and can all be found on 
<http://www.counterpane.com/crypto-gram.html>.  These are a selection of 
articles that appeared in this calendar month in other years.

What Military History Can Teach Computer Security, Part II
<http://www.counterpane.com/crypto-gram-0105.html#1>

The Futility of Digital Copy Protection
<http://www.counterpane.com/crypto-gram-0105.html#3>

Security Standards
<http://www.counterpane.com/crypto-gram-0105.html#7>

Safe Personal Computing
<http://www.counterpane.com/crypto-gram-0105.html#8>

Computer Security: Will we Ever Learn?
<http://www.counterpane.com/crypto-gram-0005.html#ComputerSecurityWillWeEver 
Learn>

Trusted Client Software
<http://www.counterpane.com/crypto-gram-0005.html#TrustedClientSoftware>

The IL*VEYOU Virus (Title bowdlerized to foil automatic e-mail traps.)
<http://www.counterpane.com/crypto-gram-0005.html#ilyvirus>

The Internationalization of Cryptography
<http://www.counterpane.com/crypto-gram-9905.html#international>

The British discovery of public-key cryptography
<http://www.counterpane.com/crypto-gram-9805.html#nonsecret>


** *** ***** ******* *********** *************

                      News



Microsoft is making efforts to deal with the problem of SOAP tunneling:
<http://www.theregus.com/content/4/24624.html>
<http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnglobspec 
/html/ws-security.asp>

Voice mail security can be just as important as network security:
<http://story.news.yahoo.com/news?tmpl=story&u=/ap/20020414/ap_on_hi_te/purl 
oined_voice_mail_3>
<http://www.computerworld.com/securitytopics/security/story/0,10801,70048,00 
.html>

Interesting interviews with Ralph Merkle and Whitfield Diffie about the 
invention of public-key cryptography:
<http://www.itas.fzk.de/mahp/weber/merkle.htm>
<http://www.itas.fzk.de/mahp/weber/diffie.htm>

Airline security comic:
<http://images.ucomics.com/comics/bz/2002/bz020417.gif>

Hackers target Israel:
<http://www.computing.vnunet.com/News/1130941>

Slashdot discussion of my "Liability and Security" essay:
<http://slashdot.org/article.pl?sid=02/04/21/0058214&mode=thread>

A typical network administrator is deluged with security advisories, 
warnings, alerts, etc.  Much of it is hype designed to push a particular 
product or service.
<http://www.newsfactor.com/perl/story/17273.html>
<http://www.cnn.com/2002/TECH/internet/04/24/virus.hype/index.html>

How Microsoft should treat security vulnerabilities, and how they can build 
trust:
<http://www.osopinion.com/perl/story/17344.html>

New hacker tools that evade firewalls and IDSs:
<http://news.com.com/2100-1001-887065.html>
<http://www.nwfusion.com/news/2002/0415idsevad.html>

Insiders may be the most dangerous security threat:
<http://news.zdnet.co.uk/story/0,,t269-s2108940,00.html>
<http://www.computerworld.com/securitytopics/security/story/0,10801,70112,00 
.html>

If Microsoft made cars instead of computer programs, product liability 
suits might by now have driven it out of business.  Should software makers 
be made more accountable for damage caused by faulty programs?
<http://www.economist.com/science/tq/displaystory.cfm?story_id=1020715>

Excellent discussion of national ID cards.  A must-read for anyone involved 
in the debate.
<http://books.nap.edu/html/id_questions>

The case for a national biometric database.  I don't think the author 
understands security at all.
<http://www.acm.org/ubiquity/views/j_carlisle_1.html>

ISS has been running some pretty cool intrusion-detection commercials on 
television.  If you've missed them, you can see them here:
<http://www.iss.net/campaigns/index.php>

This is a three-part report on bank security in general.  The first part is 
on the increase in security breaches, the second is the anatomy of a hack, 
and the third is a look at some of the reasons for insecurities in the system.
<http://news.com.com/2009-1017-891346.html>

French company Vivendi held an electronic vote.  Afterwards, there were 
stories that hackers tampered with the vote.  Others said that the vote was 
legitimate.  Now the courts are getting involved.  This underscores the 
biggest problem with electronic voting: they're hackable, and there's no 
way to show that they weren't.
<http://europe.cnn.com/2002/BUSINESS/04/29/vivendi.hacker/index.html>
<http://www.wired.com/news/business/0,1367,52162,00.html>
<http://www.silicon.com/a52986>
<http://www.silicon.com/a53068>
<http://www.vnunet.com/News/1131506>

Excellent essay on digital rights management and copy protection:
<http://www.reason.com/0205/fe.mg.hollywood.shtml>

The GAO released a report on "National Preparedness: Technologies to Secure 
Federal Buildings."  The report reviews a range of commercially available 
security technologies, from swipe cards to biometrics.
<http://www.gao.gov/new.items/d02687t.pdf>

Brute-force attack against credit card payments through 
Authorize.net.  Attackers run random numbers through the system, and 
occasionally get lucky.
<http://www.msnbc.com/news/742677.asp>

Nice article on building a taxonomy of different types of network attacks:
<http://www.osopinion.com/perl/story/17692.html>


** *** ***** ******* *********** *************

                Counterpane News


Two piece of big news this month.  One, Counterpane was named in the Red 
Herring 100:
<http://www.counterpane.com/pr-red100.html>
<http://www.redherring.com/insider/2002/0513/tech-rh100.html>

Two, we have as new distribution agreement with VeriSign.  VeriSign offers 
a portfolio of managed security services.  Two weeks ago, they added 
Counterpane's Managed Security Monitoring to that portfolio.  Every managed 
service contract that VeriSign sells will include Counterpane's monitoring.
<http://corporate.verisign.com/news/2002/pr_20020507.html>
<http://www.theregister.co.uk/content/55/25168.html>

Schneier is speaking at RSA Japan on May 29th.
<http://www.key3media.co.jp/rsa2002/eng/index.html>

Schneier is speaking at an Infraguard conference in Cleveland on June 7th.
<http://www.nocinfragard.org>

Schneier is speaking at the USENIX Annual Conference in Monterey on 6/15.
<http://www.usenix.org/events/usenix02/>

Schneier is speaking at NetSec in Chicago on 6/18, two times.


** *** ***** ******* *********** *************

          Fun with Fingerprint Readers



Tsutomu Matsumoto, a Japanese cryptographer, recently decided to look at 
biometric fingerprint devices.  These are security systems that attempt to 
identify people based on their fingerprint.  For years the companies 
selling these devices have claimed that they are very secure, and that it 
is almost impossible to fool them into accepting a fake finger as 
genuine.  Matsumoto, along with his students at the Yokohama National 
University, showed that they can be reliably fooled with a little ingenuity 
and $10 worth of household supplies.

Matsumoto uses gelatin, the stuff that Gummi Bears are made out of.  First 
he takes a live finger and makes a plastic mold.  (He uses a free-molding 
plastic used to make plastic molds, and is sold at hobby shops.)  Then he 
pours liquid gelatin into the mold and lets it harden.  (The gelatin comes 
in solid sheets, and is used to make jellied meats, soups, and candies, and 
is sold in grocery stores.)  This gelatin fake finger fools fingerprint 
detectors about 80% of the time.

His more interesting experiment involves latent fingerprints.  He takes a 
fingerprint left on a piece of glass, enhances it with a cyanoacrylate 
adhesive, and then photographs it with a digital camera.  Using PhotoShop, 
he improves the contrast and prints the fingerprint onto a transparency 
sheet.  Then, he takes a photo-sensitive printed-circuit board (PCB) and 
uses the fingerprint transparency to etch the fingerprint into the copper, 
making it three-dimensional.  (You can find photo-sensitive PCBs, along 
with instructions for use, in most electronics hobby shops.)  Finally, he 
makes a gelatin finger using the print on the PCB.  This also fools 
fingerprint detectors about 80% of the time.

Gummy fingers can even fool sensors being watched by guards.  Simply form 
the clear gelatin finger over your own.  This lets you hide it as you press 
your own finger onto the sensor.  After it lets you in, eat the evidence.

Matsumoto tried these attacks against eleven commercially available 
fingerprint biometric systems, and was able to reliably fool all of 
them.  The results are enough to scrap the systems completely, and to send 
the various fingerprint biometric companies packing.  Impressive is an 
understatement.

There's both a specific and a general moral to take away from this 
result.  Matsumoto is not a professional fake-finger scientist; he's a 
mathematician.  He didn't use expensive equipment or a specialized 
laboratory.  He used $10 of ingredients you could buy, and whipped up his 
gummy fingers in the equivalent of a home kitchen.  And he defeated eleven 
different commercial fingerprint readers, with both optical and capacitive 
sensors, and some with "live finger detection" features.  (Moistening the 
gummy finger helps defeat sensors that measure moisture or electrical 
resistance; it takes some practice to get it right.)  If he could do this, 
then any semi-professional can almost certainly do much much more.

More generally, be very careful before believing claims from security 
companies.  All the fingerprint companies have claimed for years that this 
kind of thing is impossible.  When they read Matsumoto's results, they're 
going to claim that they don't really work, or that they don't apply to 
them, or that they've fixed the problem.  Think twice before believing them.


Matsumoto's paper is not on the Web.  You can get a copy by asking:
Tsutomu Matsumoto <tsutomu@mlab.jks.ynu.ac.jp>

Here's the reference:
T. Matsumoto, H. Matsumoto, K. Yamada, S. Hoshino, "Impact of Artificial 
Gummy Fingers on Fingerprint Systems," Proceedings of SPIE Vol. #4677, 
Optical Security and Counterfeit Deterrence Techniques IV, 2002.

Some slides from the presentation are here:
<http://www.itu.int/itudoc/itu-t/workshop/security/present/s5p4.pdf>

My previous essay on the uses and abuses of biometrics:
<http://www.counterpane.com/crypto-gram-9808.html#biometrics>

Biometrics at the shopping center: pay for your groceries with your thumbprint.
<http://seattlepi.nwsource.com/local/68217_thumb27.shtml>


** *** ***** ******* *********** *************

             Comments from Readers



From: "Joosten, H.J.M." <H.J.M.Joosten@kpn.com>
Subject: How to Think About Security

> More and more, the general public is being asked to make
> security decisions, weigh security tradeoffs, and accept
> more intrusive security.
>
> Unfortunately, the general public has no idea how to do this.

People are quite capable of making security decisions.  People get burglar 
alarms, install locks, get insurance all the time.  Of course it doesn't 
always help, and people may differ with respect to the security levels they 
require, but I don't see a fundamental difference in decision making.

So what IS the difference then? It's that people in "the real world" have 
an idea of what the security problems are.  Your car can get stolen.  You 
can get burgled.  And so on.  They have a perception of the consequences of 
having to get a new car, having to buy stolen stuff and repairing the entrance.

People don't have this idea with respect to information security.  They may 
go like: "So what about firewall settings? Customers don't complain, they 
pay their bill.  So WHAT are the problems that I must solve?"  People don't 
seem to feel the REAL consequences.  Within companies, this might be an 
organisational issue.  For individuals, not all that much seems to go wrong 
if you stick to whatever your ISP says is good practice.

We, as security experts, keep talking of what MIGHT happen, and we're all 
too happy if some incident actually happens.  Most of these incidents are 
not actually felt by people, so they don't perceive it as their 
problem.  We can frighten them by pointing to these incidents.  But then 
they don't have a security problem.  Their problem is one of fear, and this 
can be gotten rid of easily by the same person that installed the 
fear.  That's how some security sales can, and are made to work.

So while your "Step One: What problem does a measure solve?" is a crucial 
step, there's real work to do before that.  We should come up with a 
self-help method for the general public, that they can use to assess what 
kind of problems they have, and actually perceive, from their own 
perspective.  They are responsible, meaning that when things turn sour, 
they're the ones that face the consequences.  Where they don't perceive 
realistic consequences, they don't have problems.  If your or your 
neighbour's house gets burgled, or a house in your block, that's when you 
perceive a problem, and then you're going to do something about it.  People 
can do that.  They've been doing it all the time.  And then, but only then, 
is your five-step process going to be of help.



From: "John Sforza" <jsforza@isrisk.net>
Subject: How to Think About Security

I agree that the general public (at this point in time) has limited 
experience in making informed and intelligent security decisions about 
infrastructure, information and privacy issues.  I however strongly 
disagree that the people in the computer security arena are better at these 
just because they are struggling with the issues continually.  I would be 
much more impressed with the computer security community's competence if 
there was some indication that their activity was showing hard results.

I see the computer security industry as babes in the woods when it comes to 
activities beyond their computers, software and immediate domain.  The 
professions of intelligence operations, operations security, counter 
intelligence, and plain spying have had live decades of experience and 
centuries of operational history.  It is you who are the new kids on the 
block applying historical best practices from these disciplines to 
so-called computer and information security and claiming conceptual 
credit.  The general computer security population is less than 15 years old 
in terms of experience, with the majority having less than ten years in 
anything beyond ACLs, passwords, and basic encryption.  Almost none of the 
computer security population has any background in physical security, 
covert operations, cultural context as regards security, or real world 
experience beyond their cubicles.

I have also found that computer security people in general make lousy 
instructors for the general public, primarily due to narrow vision, 
technical arrogance, and a base failure to understand the learning 
process.  Just because you are an expert in one field, do not assume 
across-the-board expertise.

Finally, while your five steps are good general practices (centuries old 
and documented), they are not foolproof in any formal mode.  Let me state 
that another way -- if it were that simple, why are your so-called experts 
so busy in your own yards?

Your statements continue to foster the greatest general security issue we 
face, enthusiastic amateurs with certificates being told that they are the 
greatest thing since sliced bread.



From: "John.Deters" <John.Deters@target.com>
Subject: How to Think About Security

Much of security is emotional and psychological, as the events following 
the 9/11 attacks prove.  The stock markets, leisure travel, and all the 
other industries affected are relying on the sum of all these measures, 
including the placebos, to recover.  It may be a house of cards or window 
dressing to those of us who understand security, but the vast majority of 
the population does not understand security.  They need to see "someone 
doing something," because the enormous reality of the tragedy has 
transcended rational thought.

Given that, I'd argue that much of what you call "placebo" does indeed 
induce a positive, real effect on the country and the economy.

Is the recovery real?  I have to argue "yes."  People are boarding planes 
again.  Stock markets are slowly regaining lost value.  Even if the market 
recovery is built on a house of cards, on the imagined security gained by 
the PATRIOT act or by National Guard troops in the airports, it all acts to 
restore confidence.

So, does this mean Christmas has come early for the snake-oil 
salesmen?  Yes.  Should you patriotically abandon pointing out the truth 
about these systems being shams?  Of course not.  Real security is still a 
noble and desirable goal, and we all know that false security both hides 
weaknesses and opens holes for attacks.  My point is that we all need to 
understand the whole system that is our world, that MOST of it is driven 
subjectively and emotionally by people who have never heard of 
cryptography, or think security comes from a spray bottle on the belt of 
the white-shirted guy in the airport.  Think about how much slower the 
country might rebuild confidence if we implemented only the very few 
measures that served to truly improve security.



From: nemo@cise.ufl.edu
Subject: Liability and Security

With regard to your essay on "Liability and Security," I would have to 
agree with you in most respects with one major exception.  After harping on 
these exact points for some time, I have concluded that it is not even 
necessary for the first point (liability legislation) to exist for the 
second (insurance-driven security) to come about.  In fact, given the 
preponderance of evidence of the ignorance of our legislators about 
security and the influence of powerful vendors on same, it may be better 
that there are no laws as of yet (case law for civil liability may be a 
better approach for forensics).

On the other hand, it is impossible for me to imagine that any vendor could 
convince an insurance company to give lower rates to their customers if 
their product does not perform.  The insurer is driven by its view of 
predicted value, based on its collected history of past performance, and 
sets the premium rates and categories based on its best estimates and its 
desire for profit.  If it is not profitable to do it, then it won't do 
it.  I don't even really care if a vendor pays an insurer to give customers 
a break if they use the vendor's product, as this amounts to economic 
incentive for the vendor, just as reduced sales (from customers not buying 
products that cost too much to insure) does, but on the other end.  The 
vendor will have to make it worth the insurer's bottom line to change the 
rates, so the "bribe" will still have to be "honest."  When it is cheaper 
to make good products than to pay for their repair and the damage they 
cause (or to subsidize a third party to do so), then the vendor will go 
that direction.

For a customer to buy insurance (and make it possible for the insurers to 
drive security), they must have some incentive.  This has to come from 
liability, but this is liability in civil suits -- not of the vendor 
directly, but of the company that uses the vendor's products.  This is only 
likely to be of consequence for institutional software consumers, but that 
is likely to be enough.

In a sort of ideal version of all this, the insurers act as Bayesian nets 
providing (partial) information on the true total cost of ownership (TCO) 
of a product.  Here, the TCO is initial cost (sales price of the software 
plus training), use cost (hard to quantify, but day-to-day cost of using it 
in terms of interoperability, user interface, etc.), maintenance cost 
(keeping it running, upgrading it, adapting to new users and 
configurations), and liability cost (the insurance).  Right now, the last 
item is left out most of the time.  Even the two middle terms are only now 
being given the attention they deserve, and I suspect that there is a 
strong "tipping effect" on the benefits of use as the fraction of customers 
that use a particular piece of software changes (the "Betamax 
factor").  This latter can provide very strong incentives to vendors NOT to 
lose market share, which can amplify the effect that insurers have.



From: "John Brooks" <john_g_brooks@hotmail.com>
Subject: Liability and Security

Pushing risk management towards insurance companies has two major problems.

First, the inherent conservatism of the insurance industry.  It can take a 
very long time to get its collective head around new scenarios.  In the 
meantime, it DOES accept cash from willing punters, but the cover provided 
can be worthless.  For example: "data insurance" here in UK.  This has been 
around for a long time and purports to cover all (or most) risks.  But for 
a long time the actual value of the data was calculated in bizarre ways and 
there was NO cover against the problems and extra costs caused by not 
having access to it!  I expect this situation has improved more recently, 
with more insurers entering the market.

Second, the effects of monopoly.  In UK, there are a couple of "trade 
organisations" close to the insurance industry with members that do 
physical security system installation (e.g., NACOSS).  No doubt these 
"clubs" have value, but much of this seems to be for their members rather 
than for security system users.  Pardon my cynicism -- but we're talking 
basic human nature here.  Any organisation with exclusivity based on 
membership or other mechanisms can create "negative influences" on the 
industry or interest group(s) it is supposed to help.  Potential parallels 
with the (mainly U.S.-based) music-industry groups (RIAA, etc.) are obvious.

I've nothing against insurance as such.  It's the quality of the risk 
analysis and the number of places this is done (i.e., hopefully more than 
one!) that bother me.  Also, everyone has to bear in mind that any 
insurance company's "prime directive" is: "If possible, don't pay out!"



From: Glenn Pure <Glenn.Pure@pcug.org.au>
Subject: Liability and Security

I agree fully with your point that the software industry should be equally 
liable for defects in their products as any other industry.  All the same, 
winning a damages claim for a defective security feature may be very 
difficult in many cases because of the difficulty in determining the degree 
to which a software flaw contributed to the loss (in comparison with a pile 
of other software, configuration, architecture, and management/personnel 
issues).

But worse, I think liability simply won't work.  Making software companies 
liable will provide them only with an incentive to write clever licencing 
agreements that absolve them of responsibility.  While you might think this 
comment is motivated by cynicism, it's not.  It's basic logic.  A software 
company faced with the prospect of blowing out its software production 
costs and development times will look to an alternative means of reducing 
its liability.  I'm sure the brilliant minds in this industry will come up 
with plenty of cheaper ideas (that avoid the expensive route of actually 
fixing the problem) including "creative" revision of licencing terms.

Likewise, software buyers won't be any more convinced to buy better 
security products (or products with better liability provisions) if, as you 
clearly argue, they aren't particularly concerned about it in the first 
place.  And to the extent they are concerned, they won't rest any easier at 
night knowing they can sue some negligent software company for a security 
bug.  That would be like arguing that stringent commercial aviation 
maintenance and safety controls are no longer needed provided there's a 
functional parachute under every passenger's seat!



From: jja@lusArs.net
Subject: Liability and Security

I think you are overselling the wonders of liability in several 
ways.  First, you are not admitting the costs of liability.  Companies are 
going to go out of business through no fault of their own, because some 
jury or judge did not manage to comprehend the situation that provoked a 
lawsuit correctly.  Good people will lose jobs, and good products will be 
driven off the market.  Insurance can reduce this problem, but will never 
eliminate it.  Good products made by people who just don't happen to know 
the right other people will be ignored because insurance companies won't 
evaluate them.  Payouts will be awarded by juries that are totally out of 
proportion to the events they're penalizing.  This is just the beginning.

Second, you are not admitting that insurance companies, all too often, are 
so slow to react that the security industry in brick and mortar is largely 
a joke.  Security for them is not about stopping people, or even about 
catching them.  It is purely a matter of making sure the finances work out 
right.  That's exactly what happens today, too, except that different 
people are paying the price in different ways.  Liability may be(and I 
think is) a fairer model, on average, but it is not necessarily "more 
secure" in a technical sense, and claiming otherwise is pure and simple 
naivete.  Your company's services might reduce insurance rates, but odds 
are that simple, stupid, and largely ineffective methods will too, and the 
cost/benefit results may or may not end up being what you would hope 
for.  Remember that insurance companies face a cost tradeoff 
too:  determining what measures work and how well and asking people to pay 
a certain amount up front to reduce insurance rates are costs,
and so they only do these so well, and no better -- however well is needed 
to be competitive with other insurance companies, as it happens.  Given the 
abysmal state of most insured secure facilities, it is obvious that this is 
an imperfect mechanism.

I do believe liability-based security is a good thing, but it is not a 
panacea.  We all know nothing is perfect, and nobody expects it to be perfect.



From: Todd Owen <towen@lucidcalm.dropbear.id.au>
Subject: Liability and Security

Your argument for software to entail legal liability is very interesting, 
and I certainly agree that the root cause of insecure software is not a 
technological issue.  But it may be worth noting that what you suggest 
applies to a specific type of society: namely our own Western society, and 
corporate/capitalist economic system.

The problem (as you have already pointed out) is not that companies can't 
improve the security of products, but that they don't want to.  Managers 
don't want to spend time and money on improving security because of market 
pressure, and because corporate culture teaches them the mantra of 
"maximise profit" at the expense of everything else.  Of course, security 
is not the only victim of this way of thinking (also called "economic 
rationalism").  This business methodology also justifies a great amount of 
pollution and environmental destruction, unethical treatment of employees 
(especially workers in third world countries), and other unethical and/or 
illegal behaviour such as false advertising and the wielding of monopoly power.

Various measures are used to combat these issues, ranging from unionism to 
legislation.  If liability can answer the problem of software quality, then 
it may be the solution we need.

However, I think that Greg Guerin (January 2002 issue) is right to be 
concerned about the burden of liability on small firms and on open source 
software.  The effect of liability (and insurance) in these cases would 
depend on exactly how liability was legislated.  But if it ended up 
disadvantaging open source software then I would find this sadly ironic 
because the Free Software movement is in part a response to the corporate 
"greed is good" mentality which seems to me to be the root cause of the 
software quality problem.

Another point is that software liability would encourage the "litigious 
mindset" of the modern world (especially the USA).  Would we have 
opportunistic lawsuits holding the software manufacturer liable for a 
network intrusion even though the root password was set to "password"?

I think that, in the long term, a move aimed at encouraging corporations to 
actually care about their customers (rather than profit only) would be more 
beneficial than forcing them to pay attention to quality through legal 
measures.  But that would require a lot more than political lobbying to 
achieve.



From: "Tousley, Scott W." <Scott.Tousley@anser.org>
Subject:  2002 CSI/FBI Computer Crime Survey

I think this year's study continues the slide away from factual response 
summary and towards issue advocacy.  The advocacy is so strongly presented 
that the neutral reader starts to put this "report" aside as just another 
sponsored item of marketing.

Once again, I am very disappointed to see no effort to normalize the 
reported criminal and malicious activity against background trends of 
economic activity, electronic commerce, etc.  I continue to read all of the 
CSI "studies" as indicating a relatively constant level of malicious 
activity, where the apparent growth reported in the surveys is almost 
entirely proportional to and explained by the increasing presence of 
network-related economic activity, increasing awareness of computer 
security issues, etc.  I think CSI is missing a huge opportunity here, 
because if they re-baselined the information by factoring the background 
out, they could then address likely trends in a more objective sense, and 
with more credibility from the neutral reader.  This sustained CSI effort 
has a significant "first-move" advantage in tracking these commercial 
impact trends, and I would regret seeing it frittered away by losing 
quality and focus on the core reported information.



David Haworth <david.haworth@altavista.net>
Subject: CBDTPA

In all the articles I've read criticizing the CBDTPA, I've never seen 
anyone write about one of its consequences: that it might place the USA in 
violation of the WIPO treaties that very carefully and overreachingly 
implemented with the DMCA.

In the "Agreed Statements" attached to Article 12 of the WIPO copyright 
treaty (the article that requires legal remedies against the removal of 
digital rights management information), it clearly states:

"It is further understood that Contracting Parties will not rely on this 
Article to devise or implement rights management systems that would have 
the effect of imposing formalities which are not permitted under the Berne 
Convention or this Treaty, prohibiting the free movement of goods or 
impeding the enjoyment of rights under this Treaty."

The CBDTPA, coupled with Microsoft's DRM-OS patent and no doubt a whole 
cartload of other software patents that are unenforceable outside the U.S., 
would provide exactly the kind of barrier to free movement of goods that 
the U.S., in agreeing to the statement, contracted not to do.



From: kragen@pobox.com (Kragen Sitaker)
Subject: SNMP Vulnerabilities

In the April issue of Crypto-Gram, Bancroft Scott wrote:
> If applications that use ASN.1 are properly implemented
> and tested they are as safe as any other properly
> implemented and tested application.

If, by "properly implemented," you mean "correct," then your statement is 
probably vacuously true; I would be very surprised if there were any 
programs complex enough to use ASN.1 that were free of bugs.

If, on the other hand, you mean "implemented according to current best 
programming practices," then your statement is still probably vacuously 
true.  Current best programming practices are probably those practiced by 
the onboard shuttle software group, which has a defect rate on the order of 
one bug per 10,000 lines of code; they cost on the order of a million 
dollars (times or divided by five -- I'd be delighted to get more accurate 
numbers) per line of code, about 3,000 times the normal amount.  I don't 
think any ASN.1 programs have been implemented in this manner, but maybe 
I'm wrong.  Maybe the onboard shuttle system uses ASN.1.

If, by "properly implemented," you mean "implemented by reasonably 
competent programmers using reasonable precautions," then you are 
completely wrong.  "Properly implemented" programs (by this definition) 
contain bugs, usually very many bugs, but some of them contain many more 
bugs than others.  The prevalence of bugs in a particular "properly 
implemented" program is influenced very strongly by its internal 
complexity, which is largely a function of the complexity required by its 
specification.

If ASN.1 requires greater complexity than the alternatives from programs 
that use it, then programs that use ASN.1 will contain more bugs; some 
fraction of these bugs will be security vulnerabilities.  On the other 
hand, if using ASN.1 is simpler than using the alternatives, then programs 
that use it will contain fewer bugs.  I do not know enough about ASN.1 to 
know which of these is true.

The "and tested" part is an irrelevant distraction; testing is a remarkably 
ineffective way to reduce the number of security vulnerabilities in 
software.  Other practices, such as featurectomy, ruthless simplification, 
code reviews, design by contract, and correctness arguments, are much more 
effective.


** *** ***** ******* *********** *************


CRYPTO-GRAM is a free monthly newsletter providing summaries, analyses, 
insights, and commentaries on computer security and cryptography.  Back 
issues are available on <http://www.counterpane.com/crypto-gram.html>.

To subscribe, visit <http://www.counterpane.com/crypto-gram.html> or send a 
blank message to crypto-gram-subscribe@chaparraltree.com.  To unsubscribe, 
visit <http://www.counterpane.com/unsubform.html>.

Please feel free to forward CRYPTO-GRAM to colleagues and friends who will 
find it valuable.  Permission is granted to reprint CRYPTO-GRAM, as long as 
it is reprinted in its entirety.

CRYPTO-GRAM is written by Bruce Schneier.  Schneier is founder and CTO of 
Counterpane Internet Security Inc., the author of "Secrets and Lies" and 
"Applied Cryptography," and an inventor of the Blowfish, Twofish, and 
Yarrow algorithms.  He is a member of the Advisory Board of the Electronic 
Privacy Information Center (EPIC).  He is a frequent writer and lecturer on 
computer security and cryptography.

Counterpane Internet Security, Inc. is the world leader in Managed Security 
Monitoring.  Counterpane's expert security analysts protect networks for 
Fortune 1000 companies world-wide.

<http://www.counterpane.com/>

Copyright (c) 2002 by Counterpane Internet Security, Inc.