Insecurity (on computer security and other issues)

A smartcard is a credit card sized device which can be used for a variety of purposes. It can be used to authenticate a person–proving that person’s identity. It can be used as a debit card, in which the smartcard contains the current balance.

A smartcard contains a secret. The smartcard can prove that it possesses this secret, which is unique to a given smartcard and is never disclosed. This pretty nifty trick is done with something called public key cryptography. The smartcard performs this cryptography using its internal processor and memory. Because it has a processor, it can produce a different proof each time it is used. The proof works as follows: The challenger provides a number to the smartcard, the smartcard encrypts the number, after which the challenger can verify that the number it provided was encrypted by the specific smartcard—without the challenger knowing the secret. Because a different number is used each time, an eavesdropper who listens to one exchange learns nothing allowing him to perform a different exchange.

The smartcard may fall into the hands of an attacker. It is essential that, even in this case, a card does not reveal its secrets. The attacker may try to take apart the smartcard so that he can probe its memory to read its value. If the attacker can learn the secret, he can make many copies of the smartcard; without the secret, there is no point in forging smartcards. Smartcards have been extensively studied by security researchers, who have devised attacks and shown how to protect against such attacks. Smartcard manufacturers have incorporated many techniques to make smartcards robust against attacks. They work so well that the US Department of Defense uses a smartcard, called the Common Access Card (CAC) for authentication. The CAC is similar to much cheaper consumer smartcards, but is even more hardened against attack.

Smartcards are used in Europe as credit cards. In contrast, it is easy to forge the magnetic strip (magstrip) credit cards used in the US; the magstrip returns identical information each time it is swiped. This information is so easy to steal, that in many places you no longer give your credit card to the cashier or waiter; a dishonest cashier might, for example, have a portable magstrip reader which would capture your credit card information. Instead, you swipe the card yourself and then sign electronically. The signature is not checked, it’s just recorded. At least twice, my wife’s debit card has been replaced, presumably because it was suspected that the card information could have fallen into the hands of an attacker.

Credit card numbers are stolen all the time, both from physical credit cards as well as from information stored on retail and transaction computers. These numbers can be purchased quite cheaply on the Internet. (Typically from 1 to 10 dollars each.)

Given the advantages of smartcards, why doesn’t the US use them for credit cards? The answer typically given is that it would be expensive to switch over to this scheme, especially in replacing all the card readers at retail establishments. And after all, consumer credit card losses are limited to $50, so why worry?

Credit card associations such as Visa don’t worry about it. They require the banks which issue the credit cards to assume the risks. Banks don’t worry about it, they require the retailers to assume the risks.

The problem with such thinking is that the entities which are in a position to change things (the association and banks) have no motivation to do so because they don’t pay the loss. The retailers pay for it, and they pass on as much of the cost as possible to consumers.

But the world is not so simple. What if there were really large losses? (And with computers, problems can mount very quickly.) Retailers could go bankrupt, leaving the banks holding the bag. If enough of these retailers went bankrupt, the banks would be threatened. Banks might protect themselves by wholesale revocation of credit cards. This cure might be worse than the disease, as consumers might be unable to pay for food, a car repair, or to finance their small business. To stop a depression the government would need to bail them out. And that means us.

Clean up would be very expensive. As a society, we need to do more at anticipating problems and preventing them. Why don’t we?

The central defining characteristic in security is an attacker. An attacker is perhaps most simply defined as a person who will take what is not voluntarily given. Security is intended to prevent that from happening. Obviously, you seek to protect, to secure, that which has value to you. Security is quite old, making its appearance quite early in the dawn of mankind, being at least hundreds of thousands of years old.

Computer security is a relative new field, being less than fifty years old. It dates to the 1960s when computers first became powerful enough to be simultaneously shared by multiple users. Once computers were shared, it became necessary to ensure that these users didn’t interfere with each other. While sharing has changed from the early days—most computers now have a single user—a computer’s programs and data are produced by many different people, and some of them are attackers. Surprisingly, the interference from these attackers can only be of three forms: The first is the unwanted disclosure of information (violating confidentiality). The second is the unwanted update of information (violating integrity). And the third, is the unavailability of information to be used as intended.

Anytime there is a need for computer security, both integrity and availability are required. If the integrity of information is not protected, then the information may be changed into meaningless noise. Similarly, if the availability of information is not maintained, the information could be made unusable. In the absolute, integrity and availability reduce to the same problem, total loss of information. If the information owner was indifferent to this loss, the information could be simply destroyed; this has the added benefit of ensuring confidentiality, since destroying the information prevents its theft. Therefore, if the information is maintained, it follows that its integrity and availability must be protected.

At this point, I can imagine my wife’s reaction when she reads this. She’ll tell me, “its … mmm .. too dry.” “Too dry?” I say. “It sounds like you’re lecturing” (or worse yet “writing a paper”) she says. “What’s wrong with that?”, I say. But somewhere in the back of my mind I have an uncomfortable feeling that she may have a point. So maybe I better cut to the chase, and (mostly) cut the pendantry.

Its this dual requirement for integrity and availability which makes the problem so severe, even when the computer user is aware of the problem. There are many things for which we buy a computer: using the web, email, playing games, playing music, etc.; we also use if for banking, shopping and managing investments. We want it to be available for all these purposes. But many of these sites are conduits for malware—programs that do harm—that an attacker wants to install on your computer. They come from free sites with pretty pictures, from email attachments, and from infected legitimate web sites. One should be suspicious of sites which give you things for free without apparent sponsorship; often they are supported by implanting malware on your computer. But malware also comes from “legitimate” sources: For example, Sony installed a rootkit which interfered with the computer owners ability to control their system. The more activities performed on a computer system, the more vulnerable that systems is to attack. These attacks seek to violate the integrity of our computer systems.

And these attacks have been very effective. One in four computers is a bot, that is a computer which is controlled by an attacker. Since there are over 1 billion personal computers, this means that there are 250 million bots. Worse, this means if you are doing on-line banking there is a 1 in 4 chance you are doing it on a bot. It is estimated that the cost of cybercrime exceeds $100 billion, eclipsing the drug trade. You run a virus scanner? It may provide some protection, but the attackers are always innovating; virus scanners prevent some but not all attacks. What can you do?

The safest thing is probably not to use on-line banking. That’s probably too drastic for most people. The next safest thing is to create a bootable thumb drive (with its own OS and minimal other software) and boot from that drive when you do your banking. And don’t use the thumb drive for anything else. Unless malware is installed by the software distributors of the code on your thumb drive. or by your bank, you’re pretty safe. And that’s a lot better odds than you’re facing now.

Acknowledgment: The use of a thumb drive for banking was first suggested to me by Klaus Kursawe.

P.S. Quoting my wife in the article worked like a charm (although she denies it had any effect on her judgment). In any event, it got by the censor. So if you don’t like the article, please write to her!

Life is simple.  You’re born.  You die.  It’s what you do in between that counts.

There are many choices of how to live a life, big and small.  Who you marry, where you live, what career you pursue, and what involvement do you have in your community.  These choices fundamentally define who you are. They matter more than your innate talents, the gifts with which you started life.

There are many choices which don’t define us. We make them of necessity.  But the choices which define us are of such importance that they should be deliberately made.  Some people allow these decisions to be made by default; they blame these decisions on external factors which are, in the final analysis, insignificant. These decisions-by-default are a lost opportunity, and they diminish the individual.

Although the choices that are available to us, and our basis for choosing them, depend on the time and place in which we live, our gifts, and our achievements and although they may seem small, they are not.  Many opportunities arise unexpectedly.  These opportunities are no less important than those that arise by planning; on the whole they are more important.  The planned opportunities prepare you for the unplanned ones.  As Isak Dinesen, author of Out of Africa has been paraphrased: “Why did God make the world round?  So that we couldn’t see too much of the road ahead.”

To make these decisions well, you need to decide what is important to you.  This is not about what is merely desirable, but that which is central to your being.  To find your passion.  And then live it.  If you can’t live your passion, is it really your passion? As T. Alan Armstrong wrote “If there is no passion in your life, then have you really lived? Find your passion, whatever it may be. Become it, and let it become you and you will find great things happen for you, to you and because of you.

One of my great abiding passions is learning and in particular research. My research area is computer security, which has both special joys and challenges.  It is challenging to understand the problems of, and solutions to, issues in computer security.  I am captivated by its complexity and its subtlety.  Most of all, I am drawn to its impact on the individual and society.  This shapes my research in computer security and determines its direction.

I think that this can lead me to be out of step with the computer security research community.  Computer security is hard, and old, but unsolved problems are often ignored.  But I don’t care, I’m driven by my inner compass.  I follow this direction because I must—it is who I am—and thus it’s easy to do so.   What else could I do?  As Angela Monet said “Those who danced were thought to be quite insane by those who could not hear the music.”  Listen to yourself and follow the truths and beliefs you hold.

I was told by one of my students that I have a lot of energy; it comes from my passion.  I encourage students to determine if they have this sort of passion, and if so to do a Ph.D.  Its a great life, and a great thing to do, if that is who you are.  If you’re interested in working in computer systems security, come and join me.  There is a lot to do.  I can’t do it alone, I need your help.