(A)bort, (R)etry, (I)gnore: Perspectives on Information Security

Four days ago I received an email from tax-refunds@irs.gov. A selection of interesting headers from the message appears below (sensitive information, such as my email address, elided). You’ll note two things. First, this email came to one of my U of C addresses, but it purports to be from the IRS. Why would the IRS (an American government agency) be sending a legitimate email to some random Canadian email address (yes, I’m a US citizen, but that’s besides the point — we’re playing the odds here, and certainly I have other valid US-based addresses the IRS could reach out to). So: strike one. Second, the U of C spam filter correctly tagged this as spam (hence the {Spam?} prefix in the Subject header. Strike two. Finally, the IRS itself says that it does not request information via email: http://www.irs.gov/privacy/article/0,,id=179820,00.html. Strike three. But it gets better. The phisher keeps swinging for the fences.

Return-Path:
Received: from correo.ziv.es (correo.ziv.es [77.226.243.115]) by
forward.ucalgary.ca (Postfix) with ESMTP id 25CE038227 for
; Mon, 6 Sep 2010 19:10:26 -0600 (MDT)
thread-index: ActOKXOX06gLrg0bRziJn6dBptyFCg==
Received: from User ([60.32.171.42]) by correo.ziv.es with Microsoft
SMTPSVC(6.0.3790.3959); Tue, 7 Sep 2010 03:10:24 +0200
From:
Subject: {Spam?} IRS Annual Notification (ID: A20W852)
Date: Tue, 7 Sep 2010 03:10:32 +0200
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary=”—-=_NextPart_000_009D_01C2A9A6.691CE492″
X-Priority: 3
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
Message-ID:
To: undisclosed-recipients:;
X-Foo-MailScanner: Found to be clean
X-Foo-MailScanner-SpamCheck: spam, SpamAssassin (not cached,
score=11.622, required 6.2, autolearn=disabled, BAYES_99 5.50,
FORGED_MUA_OUTLOOK 3.12, FORGED_OUTLOOK_HTML 0.00, HTML_IMAGE_ONLY_20
1.55, HTML_MESSAGE 0.00, HTML_SHORT_LINK_IMG_3 0.00, MIME_HTML_ONLY 1.46)
X-Foo-MailScanner-SpamScore: sssssssssss
X-Foo-MailScanner-From: tax-refunds@irs.gov
X-Spam-Status: Yes

The headers indicate that someone connected to a Spanish ISP (I’m guessing from “correo” and .es) has fallen victim to a spambot using their Microsoft Outlook Express (or this could be forged information, but why include code for mailing in your bot when you can just ask the OS to ask an application to do it on your behalf?). Spanish citizens probably aren’t sending email on behalf of the IRS. Strike four.

This message contained some boilerplate legalese (”This message is intended only for the use of the individual…blah blah blah”) and an HTML attachment. The boilerplate language also contained the sentence: “Any views or opinions presented are solely those of the author and do not necessarily represent those of the company.” The IRS is an agency, not a company, and so this sentence doesn’t jive. Strike five.

The HTML attachment was more interesting, although quite a basic attempt at phishing. I saved it to a file system and use the Unix `file’ command to see the general format of what it might contain:

[locasto@xorenduex quarantine]$ file Refund_Payment_Form\(ID\ A20W852\).html
Refund_Payment_Form(ID A20W852).html: ASCII English text, with very long lines, with CRLF line terminators
[locasto@xorenduex quarantine]$

Using the Unix `more’ command, I started to scroll through the file. Most of it appears to be a fairly standard scrape of a real IRS web page.

At line 324, however, we see an HTML table definition that contains a brief Javascript program starting at line 338 (immediately before this, the phisher attempts to close any other active script context with an “end” SCRIPT tag. The script is mean to check HTML form input before submission. It pops up Javascript alert boxes asking for a series of items. It starts by asking 3 times for your SSN, then requests your CVC/CVV2 (those short codes on the back of your credit card), your ATM signature, credit card expiration month and year, full name, billing address, home phone, date of birth (3X), mother’s maiden name, and name of your bank.

Places to enter this information appear in an HTML form defined immediately after this script. The target action of this form is to post the information the victim gives it to a PHP web page at hikinginn.com. The URL looks like some bulletin board or photo gallary: “/bbs/data/egallery/119701770/indexppl.php”. Presumably this page has been hijacked to contain code that accepts data from this phishing attempt. When I used wget to fetch this page, wget returned an HTTP 404 (Not Found) error, indicating that this page may well have been taken down.

[locasto@xorenduex quarantine]$ wget http://www.hikinginn.com/bbs/data/egallery/1197017760/indexppl.php
--10:54:55--  http://www.hikinginn.com/bbs/data/egallery/1197017760/indexppl.php
           => `indexppl.php'
Resolving www.hikinginn.com... 218.232.66.19
Connecting to www.hikinginn.com|218.232.66.19|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
10:54:56 ERROR 404: Not Found.

The web site itself is for a resort on the Korean island of Jeju.

By the way, if you’re confused about what CVC/CVV2 is, then the phishing form helpfully asks: “Need help with CVC/CVV2?” and links this question text to: http://www.sti.nasa.gov/cvv.html

Various agencies have heralded the use of backscatter X-ray machines [wikipedia] as a safe, non-invasive technique for scanning airline passengers to detect weapons or devices hidden under clothing or in sensitive areas of the body.

Independent of the security value of these machines, I was curious about how they operated, who developed them, and who sells them.

Steve Smith appears to be a scientist involved in creating similar technology (the “SECURE 1000“); the company Rapiscan seems to sell a variety of these kinds of devices. The SECURE 1000 looks different than backscatter machines I’ve seen at airports. It looks like Dr. Smith has been fairly successful; his research group’s Web site (http://www.spectrumsdi.com/) redirects to SAIC.

The ISU site claims that the risks from radiation of these machines is negligible.

This concept is a pretty hot topic:

“Airport admits ’strip search’ body scanners WILL show people naked”

“X-ray Body Scanners Arriving at Airports”

Slate, with the salacious title: “Digital Penetration”

The dailymail article above quotes an official saying: “The images are not saved, you literally walk through, the screener hits a button to say clear and the image goes.” The Slate article quotes the TSA: “‘Images will not be printed, stored or transmitted,’ TSA swears on its Web site.” [the link Slate provides is broken, but here is the TSA main page for "Advanced Imaging Technology" and the "Privacy" subtopic. -Ed.]

This claim is what troubles me most. It troubles me because it sounds like officials repeating a marketing line they’ve been handed by companies selling these sorts of systems, with little real proof or assurance for the public that these machines have been certified not to store the images.

Given the requirement to have the personnel looking at the scan be physically removed from the subject being scanned means that these images are captured and transmitted to some computer terminal. This in turn means that the image or file traverses a network and most likely winds up on a commodity PC screen. There is likely some file and temporary storage involved here — making sure that this data is completely wiped from the system and not inadvertently saved (even on hard disk temporary or memory swap space) is a non-trivial programming exercise. And there is a tangible energy cost to proactively deleting information.

The TSA privacy Web page for this technology says: “Advanced imaging technology cannot store, print, transmit or save the image, and the image is automatically deleted from the system after it is cleared by the remotely located security officer. Officers evaluating images are not permitted to take cameras, cell phones or photo-enabled devices into the resolution room.”

While this is an admirable sentiment, as a citizen, I’d like to see proof of these limitations rather than a statement of policy. In fact, given that running wires and cabling is an expensive process (and leads to messy trip hazards), I suspect the transmission of these images is wireless. It would be interesting to observe the wireless frequencies in use at airport checkpoints (something that can be done very surreptitiously, unless laptops are banned completely) and capture the data passing over them.

Also of interest, TSA’s Freedom of Information site: http://www.tsa.gov/research/reading/index.shtm. Among the documents here are PDF scans of citizen feedback on backscatter technology [PDF], ranging from a few well-argued positions to short, barely legible emotional reactions to various TSA practices. Also present are contracts that TSA has with various private companies. Good to see which beltway bandits are hooked up to the TSA teat. Finally, there are also videos of Salt Lake City’s checkpoints.

Threats to privacy exist in a number of forms. What is interesting about the following case is that the government is using the prosecution of someone who is probably guilty of breaking drug laws as a vehicle to expand its surveillance powers over law-abiding citizens. This is akin to the story of the motorcyclist in Maryland who was charged with wiretapping the police that pulled him over simply because he had a helmet cam. If the government can’t tolerate being observed, taped, recorded, and tracked, than why should citizens? Is not the citizen supreme? Doesn’t the government exist to serve the citizen, not the other way around?

http://www.time.com/time/nation/article/0,8599,2013150,00.html?hpt=T2 (Time.com)

It seems like we’ve reached a state in the US where the value proposition of living in a “free” republic has become less meaningful. Four hundred years ago, European settlers were quite willing to live on the frontier, braving the dangers that come with little or no infrastructure in return for the freedom of self-determination. In contrast, modern America seems to have become addicted to too many comforts; in the course of “outsourcing” the maintenance of law and order (so that we can continue ordering Starbucks, sending Tweets, and watching American Idol), we’ve given away extraordinary powers to those “security” institutions.

And here is the irony of it all — these institutions, faced with solving an impossible problem (the security and safety of every citizen) continually request (or seize) even more power, justifying said initiatives by claiming they need yet another power to keep us safe. This gradual process inexorably ends in a police state: there is no other social attractor at the end of this particular road. Only a determined and vigilant effort at reducing the size and scope of government power can combat this tendency. It likely takes civic leaders willing to assume a short, unspectacular political career: they come in, fix the problem, upset some portion of the electorate, and subsequently get voted out.

I’m concluding two years of experience with a 15-inch Macbook Pro, Mac OS X 10.5.8, 2.4 GHz Intel Core 2 Duo, 4 GB RAM. My experience suggests that the perceived “quality” of Macs is overrated — they are no more or less high quality than other commodity notebooks.

Specific complaints follow:

1. keyboard and trackpad randomly stop responding; reboot fixes issue for short time. Keyboard occasionally “stutters” or repeats characters until another key is pressed. This requires me to carry around an external keyboard and mouse. I hypothesize that the battery comes into contact with the keyboard and trackpad connector and leads to a short or overheated wire.
2. battery is effectively dead; unplugged operation of notebook leads to about 5 minutes of uptime before hard power off
3. the battery/CPU/GPU put off tremendous heat (others have noticed this “feature” of Macbooks
4. internal optical drive intermittantly fails to read CDs or DVDs; total failure about a year in
5. the “Automatically adjust brightness as ambient light changes” option under Display occasionally “checks” itself (even though I have unchecked it). As a result, the screen dims at inconvenient times
6. the built-in iSight camera has recently (within past 6 months) stopped working (this makes keeping in touch with family difficult, as I need to reboot every time I want to video Skype). I can get it to work briefly by shutting down the machine, resetting the system memory as described by Apple (with machine off, press and hold the power button for 5 seconds), and rebooting. When I manually reposition the physical screen position, the camera stops responding (in the middle of Skype sessions). It appears that the camera also stops working upon a suspend/closing the lid. From these symptoms, seems like a loose wire or connector.

Do I have good things to say about this machine? Yes, but they basically amount to “it works.” The negatives listed above, however, strongly detract from the overall usefulness of this machine, particularly as a mobile platform.

Helpful configuration information:

http://www.ucalgary.ca/it/help/articles/email/clients/tbirdosx/ldap

I recently started using git for managing libdisorder. I had used git once before, gotten distracted with other things, and never seriously learned it. I typically use either cvs or svn to manage code and paper repositories. The code is now hosted at both dyne.org and github:

http://github.com/locasto/libdisorder

http://code.dyne.org/?r=libdisorder

I found the following documentation to be of use while setting up the two remote repositories fed from my single local repository:

http://www.kernel.org/pub/software/scm/git/docs/user-manual.html#public-repositories

http://toolmantim.com/thoughts/setting_up_a_new_remote_git_repository

I was recently cited, among others (including Sal Stolfo and Chris Kruegel), for a Politifact article by Lukas Pleva on whether it was possible for private industry to shut down the Internet as a protection measure during some large-scale cyber attack with or without some form of government involvement:

The article is here:
Glenn Beck Host Says Obama May Soon Be Able to Shut Down the Internet

Although the folks cited in the article generally agree that the technical capability to do such a thing exists in the private sector, the experts question either the wisdom of such a move or the probability of such an action actually occurring without some form of high-level coordination between their corporate overlords and either the military or some civilian government agency.

The question of whether the government should have its hand on an Internet Kill Switch (this phrase itself smacks of hyperbole, and may be an overreaction or misrepresentation of the actual proposed legislation) has been raised largely due to provisions in recently proposed legislation, a previous version of which this blog has commented on before. This new round of media hysteria was prompted by Joe Lieberman’s resurrection of a similar, but more measured (by some accounts) idea. Schneier recently blogged about his take on this whole controversy.

Both obvious and subtle questions exist here, including:

1. What does “shut down” mean?
2. How complete would this shutdown be?
3. Is it desirable to shut down the Internet during a cyber attack?
4. Is it technically possible to do so?
5. Is it administratively or politically possible to do so?
6. Do private Tier 1 ISPs need either government permission or {techincal, logistical, communications} assistance to unplug?
7. How fast can this shutdown event take place?
8. Where should ultimate authority for such a move rest?
9. Under what conditions do we plug back in?
10. Are there alternatives?

We’ll try to deal with these below one at a time. Briefly, the answer depends on what type of threat it is, what “shutting down” the Internet means, and whether we distinguish between an administrative decision to shutdown versus a technical action to accomplish or realize this shutdown.

Disclaimer: There are only a few folks on the planet who fully understand the subtleties of controlling BGP and interdomain routing and working with it on a daily basis; I don’t pretend to be one of them. I’ve studied the basics of Internet routing along with academic research on routing security issues, but I’m willing to take correction or feedback if I’ve gotten something wrong.

1. What Do You Mean by “Shutdown”?

This term may entail a different series of actions and events to different people. I take this term to mean to termination of layer 3 (e.g., IP) connectivity and the termination of the BGP routes between major U.S. & North American ISPs and the rest of the world. Such a termination in connectivity could be accomplished in any number of ways (some of which are more realistic than others), such as (1) physically unplugging or severing border router links, cables, and fiber, (2) setting up traffic filters on border routers using their installed software (e.g., using IOS)…such a step is quite similar to setting up “firewall” rules for network packet filters like BSD pf or Linux iptables/netfilter, (3) stop announcing BGP routes or issue BGP route withdrawal messages, (4) setting a pack of rabid backhoes loose near network POPs and peering points.

“Shutdown” could also entail the activation of a large number of network filters looking for certain flows, content, or source addresses, networks, or routing prefixes (in the core, these are essentially the same data). These filters would have the effect of limiting traffic from flowing without completely disconnecting machinery or routing paths or implying some type of shut off or power outage.

2. How Complete Would the Shutdown Be?

There are private-sector companies (i.e., large Internet Service Providers or ISPs) that control much of the core Internet infrastructure (e.g., interdomain routing and DNS) that could shut down this infrastructure (i.e., the servers running these protocols) during some kind of global conflict. While it is true that there are a large number of ISPs, only a few really big players exist, and if they decide to terminate connectivity, this action would involve a large chunk of the network. Such an action by “US-friendly companies” would take large sections of the US and some other countries offline (the US serves as a transit network for a lot of worldwide traffice simply because many types of communications lines pass through us).

Such a shutdown would necessarily be incomplete. The Internet was designed by DARPA-funded scientists to be resilient even in the face of widespread nuclear attack. Taking the US routing infrastructure offline would still leave the rest of the world connected, and after a period of a few minutes for routers to reconfigure routes, the rest of the world would be exchanging traffic (probably more slowly, since the US contains a lot of high-speed links), but connected nonetheless (modulo some specific unreachable destinations simply due to how the physical and virtual infrastructure are connected). Many smaller regional ISPs have peering agreements and relationships that would still enable some traffic to flow, albeit more slowly (or possibly not very widely).

The bottom line is that no single company (or government) has the ability to shut off the Internet as a whole, but a small number of companies could disconnect large segments of it if they both chose and agreed to do so (which entails some administrative oversight giving permission to such a drastic change, since ISPs are paid to route traffic: no packets moving, no money).

3. Do We Want to Shutdown?

I think legitimate concerns exist as to whether a shutdown provides the right response in any reasonable case. While we have been conditioned by certain software practices that a reboot or reinstall is the standard way of getting back to a known good state, terminating the global instance of BGP (or a large portion thereof) represents a risky (albeit fascinating) and uncontrolled experiment.

Also, in most cases, eliminating this infrastructure would be the absolute worst course of action system defenders could take, as it greatly reduces communications (email, VoIP, social networking) that defenders require to coordinate against a large-scale threat. Even in the most dire of circumstances (i.e., whatever movie-plot scenario one might imagine), such action really isn’t an option — there are many ways to filter or reduce certain types of traffic that would be much more effective than simply severing links.

4. Is it Technically Straightforward to Accomplish This Shutdown?

I claim that it is technically “trivial” to shut down the US part of the Internet. Private-sector companies run this infrastructure, and their network operators have the skill and knowledge to configure it. In fact, accidental misconfigurations that severly disrupt connectivity occur quite often due to simple human error; see, for example, the AS7007 incident. One need not ask the US government for a technical aid to the shutdown process. This process should be as simple as pressing the right buttons — although I don’t know if these technicians actually practice such a maneuver or plan for it. Even if they do, I take it as given that they might make mistakes in the heat of the moment.

5. Is it Administratively or Politically Straightforward to Do So?

I’d say “no” and give as evidence the furor over this topic. I think that the political world tends to view the Internet as akin to any other piece of infrastructure (roads, water system, electrical grid), and I doubt that analogy provides a serviceable one. In the case of an Internet-scale attack on US information infrastructure, I don’t think that the conditions for the President to request a shutdown are clear or at all well-understood: the administration would almost certainly require private-sector analysis to inform its opinion. Furthermore, from a technical standpoint, this is the “nuclear” option, and we have no technology that tells us “how bad” a cyberattack actually is: are we being tickled with a feather, walloped by an anvil, or smacked on the backside with a plastic shovel? A misjudgment and overreaction here could be a cure much worse than the (misdiagnosed) disease.

6. Do Tier 1 ISPs Require Corporate, Political, or Military Involvement?

This answer depends on the definition of “involvement.” Much of the argument on this topic has been phrased in absolute terms: an administration would have sole command authority to issue an “Internet Kill” order. While government has not restrained itself from overreaching in the technical sphere before (see, for example, the downsides of CALEA and its invasion of the academic sphere), I doubt that political authority over the Internet would really assume this kind of authoritarian form (my personal politics make me extremely uncomfortable with this level of government control, so perhaps this is wildly optimistic thinking on my part). I don’t think that the government would either command or require ISPs to seek permission to enact large-scale filtering.

Nor do I think that ISPs would need a government whip to work together. Although ISPs compete with each other in a number of dimensions, and policy dictates the actual routing, ISPs also peer with each other and cooperate on a range of issues.

I don’t think that the ISPs need government assistance in terms of logistics; there is no need for the government to setup a hotline, website, or working groups, committees, panels, etc. to help ISPs talk with each other during such an emergency. Such communication could happen over the channels that ISPs already have established (some of these are informal contacts such as network operators sharing cell phone information) for Internet-scale emergencies (these happen regularly due to simple misconfiguration or failure of physical infrastructure).

In fact, the relationship is almost exactly the other way around: government requires industry assistance in terms of information, data, and analysis in case of such an event.

I do, however, concur that some part of the government would want to be in the decision loop for taking such a drastic step. They may not actually give the go-ahead or command that it be done, but I suspect that they’d want veto power or at least a warning that the business community was about to do this. This organ might be DHS, DOD, DNI, Interior, Commerce, NSA, or some other agency…I doubt the government has a coordinated plan or point of contact for such events (which I suspect was the intent behind the relevant clauses in the Rockafeller-Snowe bill to enable the executive branch to make such a call). I see this legislative attempt as a symptom of a government/administration that is on the verge of “getting it” in terms of the importance of critical information infrastructure, even if the expression of this awareness is to introduce clarity in the form of additional executive branch power over private commerce.

7. How Fast Could the Shutdown Take Place?

Network operators — the actual technicians in charge of routers and other network equipment — are a small, fairly tight-knit community. Even though these engineers work for many different companies, they (at least those working for the major players or Tier 1 ISPs) know each other quite well, and NANOG holds regular meetings. Informal cooperation happens all the time. I expect that in an Internet-scale emergency (as there have been in the past), this community would be in touch with each other quite quickly: so it is conceivable that they could coordinate a response to a major event and terminate basic connectivity within a matter of hours or minutes. Such a move would probably require some cooperation and coordination from both the political/military world as well as corporate approval. I assume that some minimal coordination happens before admins start typing at keyboards…but in a flat-out emergency, shutting off network interfaces can be accomplished very quickly.

Once either corporate leaders (alone or in consultation with civilian or military leaders) reach a decision, the technical difficulty of shutting down routers and other networking equipment can be accomplished within a few minutes. The bulk of any delay in reducing connectivity almost certainly rests in the human and policy decisions necessary to give the green light to such activity. I suspect that Tier 1 ISPs have some business process (independent of government regulation or cooperation) that requires VP or Director-level permission to execute such an action.

Where Should Ultimate Authority for Such a Move Rest?

This is the whole point, isn’t it? The answer depends on your politics. From a technical perspective, this is the difference between “policy” and “mechanism.” The mechanism is in place and sits almost entirely in private hands. The policy is distributed across the private and public sector, and I’m willing to believe that factions exist in both spheres that respectively (1) want and (2) abhor the responsibility for making such a call.

Under What Conditions Do We Plug Back In?

I see this question as more important than the others. Pulling the plug is a decision made under a certain set of circumstances and with a certain set of criteria in mind; have the politicians planned for when it will again be “safe” to plug back into the Internet? How will they know for sure? Do they realize that the Internet is already a very loud and risky battleground, and that we run this risk every day? Should all commerce, community, and information exchange grind to a halt simply because a few politicians and White House advisors got a bit nervous during a particularly loud cyberattack? Can the US financial markets and other information infrastructure be offline for extended periods of time?

This question highlights how (from a technical perspective) the issue of an Internet kill switch (either public or private) seems a bit nonsensical: it is overkill and almost certainly something likely to be used in a knee-jerk fashion with no thought for the recovery complexity. There is probably a good analogy to be made here that illustrates the self-defeating futility of disconnection, but I can’t think of one at the moment.

What Are the Alternatives?

The deployment of “reasonable” alternative defenses or reactions differs based on what type of attack we have to consider. Companies (including large ISPs, but also your “average” Fortune 500) have a variety of other internal defense mechanisms against cyberattack (coordinated or otherwise), but the efficacy of these mechanisms varies widely, and the effect is almost always local or limited to their own network infrastructure.

More Resources

For understanding interdomain routing, a good place to start is Tim Griffin’s page. You can move on to JI’s Fall 2002 Internet Routing course at Columbia and then Radia Perlman’s Interconnection’s book.

The company Renesys also provides deep, wide analysis of Internet-scale phenomena and conditions. At least in the public world, they have no serious competitor.

[Updated 15 July to point to Schneier's blog post. -Ed.]

I recently spent 11 days in Hanover, NH at Dartmouth College leading the SISMAT (Secure Information Systems Mentoring and Training) summer seminar. This seminar is one part of a comprehensive training, job, and research program for undergraduates. Students go on to an internship in information security and then a follow-on research project at their home institution under the guidance of a local faculty mentor and with occasional advice and support from us.

This year was the third year of SISMAT. Sergey and I refreshed the curriculum and implemented some changes inspired by the “failure modes” learning pattern we (inadvertently) discovered during last year’s seminar (as described in our March SIGCSE paper).

Briefly, the failure modes philosophy holds that students learn topics (e.g., networks) more naturally by observing the interplay in failures of a system (e.g., at layer 2 and layer 3 when certain services or connectivity don’t exist). This learning style seems more informative than just hitting students with the standard code pattern for opening a socket in C or Java. We tried to apply this principle (along with some other Hacker Curriculum principles) to other areas of the craft, including hands-on exercises with Web application vulnerabilities, disassembling various pieces of shellcode, and analyzing the detritus of a real intrusion.

SISMAT is always a lot of fun, and this year we had a great group of lively and talented students who are now well on their way to becoming (ethical) hackers. So far we’ve had 23 students go through the program, and we’ve had about a dozen faculty mentors from these students’ home institutions. We’re in the process of tracing how their projects and future careers have gone.

With severely limited funding for innovative cybersecurity education programs, we’re happy to do our part to fulfilling the need for well-educated information assurance professionals (and we’re grateful to the organizations that have funded us so far). It’s too bad that the prevailing opinion is that nothing fundamental or innovative could possibly happen in the education space: basic research into techniques, mechanisms, and systems is valued much more than actually producing well-educated cybersecurity professionals.

Today there was a meaty post (on the longish side, but worth it) on the DailyDave mailing list about ethical disclosure of vulnerabilities with respect to a recent Microsoft vulnerability.

http://lists.immunitysec.com/pipermail/dailydave/2010-June/006130.html

Juicy tidbit:

“So since most researchers in the security community
have had their spines and sense of justice/fairness contractually
removed by their respective employers, I’d like to comment on some of
these topics. The purpose of my mail is to call out (by name) the
individuals, “journalists”, and companies that manufactured the
controversy for their own benefit.”

There seems to be powerful motivations from both companies and “news”-hungry journalists and bloggers to spin tech events any way they want them. Besides the main point about curtailing the motivation for ethical vulnerability research, I suppose this episode serves as a cautionary tale in terms of the credibility of the “new media.”

This recent article about a 3rd-party Trojan’d piece of software for Linux is a bit sensationalist.

If a user purposely installs software of uncertain provenance (STONESOUP anyone?), it doesn’t matter what operating system lurks underneath. Does anyone know of an OS that refuses to execute an application the user commands it to install and execute?

I don’t think the community has found an effective sandboxing technique that provides both precision and accuracy in constraining arbitrary software (i.e., no technique that I know of automatically ascertains what the valid limits of the software should be within the constraints of security policy and user needs).

And it definitely should not be news that Linux is (and has been for a while) a target.