• Home
  • About
  • Blog
  • News
  • Events
  • Media
  • Video
  • Glossary
  • Contact
  • Download
  • RSS

Federalizing cybersecurity?

April 2nd, 2009  |  by jz  |  Published in Future of the Internet, cybersecurity  |  2 Comments

The Washington Post has reported that the U.S. Congress will shortly take up a bill to “empower the government to set and enforce security standards for private industry for the first time.”

Today’s conventional wisdom in cybersecurity circles is that:

  • we’re very much open to attack (defined lots of ways; often people mean: PCs attached to the Internet can be compromised by outsiders and then put to bad uses, turned into spies, or made to self-destruct).  Virtually no one takes cybersecurity as seriously as he or she should, in part because the costs of compromise are not always charged back to the person who should take measures.  (Many people don’t care if their PCs are sending spam in the background, so long as it doesn’t disrupt their Doom game.)
  • “perimeter defense,” the basic idea behind firewalls, doesn’t cut it.  If just one bad bit of code gets past the wall dividing a PC or a network from the rest of the world, it’s all over.  (This makes Senator Rockefeller’s soundbite a bit inapt: “You have to keep making higher walls.”)
  • for the first time, our defense establishment is genuinely not in a position to be able to “defend the homeland.”  That’s because much of the vulnerable infrastructure — PCs — is entirely in private hands and then connected to the world at large.  There’s no place for a fighter jet or Border Patrol agent to intercede.

Given these articles of faith, one can see how tempting it is — indeed, nicely bold — to propose a government official who can mandate certain security standards across the board.  But there are many potential problems with this approach.

First — could they realistically be made to apply to individuals?  What penalty should obtain if I fail to secure my computer?  Perhaps the thought is that operating system and software vendors could be regulated, the way that cars must have seat belts and air bags — precisely to deal with the problem of irresponsible individual drivers.  But that’s dicey: there are many clearly wrong ways to code operating systems, but that doesn’t mean there are obvious right ways to do it.  Many of the vulnerabilities we face come not from hidden exploits that take advantage of some literal bug in the way, say, Windows works, but from our own acquiscence in running new code.  We click “yes” to “are you sure you want to run this?” because we are impatient, and because so many times during the day we’re typically asked to make a snap decision like that.

Second — any standards process would quickly become the purview of security firms with something to sell.  Tens of millions of dollars or more could rise or fall on whether one’s security suite is made the obvious way to satisfy a particular regulatory requirement.  With no scale to determine how much security is enough — especially when risk aversion will vary so much from one firm or computer owner to the next — we run the risk of overregulation.  Too easily security standards will just amount to vendor selection.

So, what should we do?

Well, one fruitful point of dampening security problems is at the ISP level.  Computers that have fallen prey to an active worm or virus can frequently behave in predictable ways — sending out certain traffic patterns, or having vulnerabilities that can be detected at a distance.  ISPs know this, but are reluctant to tell their own subscriber that they have a problem, much less to quarantine them.  To do so means a customer service event — someone has to coach the user through fixing the machine.  But that incentive can be changed.  If ISPs were asked — well, required — to take more reasonable responsibility for zombie computers located on their networks, they could rise to the occasion.

Another underexplored strategy is to build our systems so that they can recover gracefully from problems.  Wikipedia isn’t designed to prevent all vandalism; instead it has technical tools that make it easy to revert a page to the state it was in before someone came along and vandalized it.  If the Wikipedia entry for Britney Spears is resilient to defacement, shouldn’t our valuable spreadsheets be the same way?  Imagine a history file automatically generated so we could see changes as they have happened and revert to an older version.  Then we need only deal with the problem of viruses that try to tamper with a document’s history — something that can be made very difficult to do.  Similarly, researchers like Butler Lampson have proposed PCs with “red” and “green” zones in them.  Stuff in the red zone can’t affect what’s going on in the green.  Trusted software ready for prime time goes in the green zone; experimental or new stuff goe sin the red.  If there’s a problem in the red zone, it’s at least confined.  None of these approaches is a cure-all, but they can help a lot.

Finally, we can work to build collective solutions, neighborhood watches in cyberspace.  Right now each PC has a metaphorically autistic experience: it surfs from one site to the next with no awareness of what other PCs are doing.  Imagine having a little software on your PC that reports its vital signs to other participating PCs.  Collectively we could generate a map of the health of cyberspace, an early warning system — and a means of answering some very useful questions.  Before running new code, you could say: How many machines in the herd are running it?  How many self-proclaimed experts run it, versus neophytes like me?  Is the code brand new, or has it been around for months or years?  These questions are not beyond the expertise of most PC users, and the answers can help them make much more informed decisions about what code to run.

There’s a lot of work to be done to secure cyberspace — work that goes beyond any one set of regulatory “best practices” that we know won’t be uniformly implemented.

Responses

Feed
  1. Bertil Hatt says:

    April 2nd, 2009 at 3:02 pm (#)

    Many important truth in that post — but an important element is missing: most hacks still go through traditional channel (human engineering, physical access). Recent failures (droping USB keys on NSA parking lot, loosing laptops) plead for more central control too.

  2. Seth Finkelstein says:

    April 2nd, 2009 at 11:00 pm (#)

    I find this post a bit confusing, since it lumps so much together as “security” – I kept thinking, but what is it that the bill was talking about in the first place? (in terms of “security standards”) And how does that relate to the items discussed?

Blog

  • FOI Topics and Links of the Week

    • A roundup of happenings that bear on the issues in The Future of the Internet –

    Canadian Android Carrier Forcing Firmware Update. A Canadian carrier wanted users to download a firmware upgrade that fixed a glitch prohibiting users from dialing 911, so it made the upgrade mandatory. Seems reasonable. But it bundled in an update that “prevent[ed] users from ever gaining root access to their phones.” Sneaky—one more way that contingent generativity really is contingent, even for savvy users.

    Biggest Mobile Operators Join Forces On App Store Project. A few dozen mobile operators have come together to try to create a mobile developer’s dream: a set of standards for applications that would work across phones and mobile OSes, and a single app store (with a single approval process) in which to sell those apps. This could be a good thing if it worked—developers might have more say in big-picture application development, and single carriers or hardware manufacturers would have less ability to be a development chokepoint. (It would also be nice for consumers, generally making the smartphone world look more like the PC world.) I’d be more excited if efforts to create uniform mobile standards weren’t so difficult and historically so unsuccessful.

    Demand for Android Phones Makes “Monstrous” 250% Jump. Another developer’s dream (perhaps), Android, is seeing significant growth. “Android has finally caught consumer interest,” according to a research firm. Also, Android users are almost as happy as iPhone users with their phone (72% to 77%).

    Big Brother Is Here, Families Say. This story is so bizarre, I don’t know what to make of it. A school in Philadelphia gave out laptops without telling the students or their families that the cameras could be remotely activated. The idea was to use the cameras if the laptops were stolen, but one family claims a camera was used to spy on a student. If true (details are cloudy), that would (a) be mind-bogglingly dumb on the school’s part, and (b) reminiscent of this (ubiquitous cameras) and this (remote activation) in the book. Check out the Onion’s take here.

    Microsoft takes the StopBadware Approach Further. Last week, MS obtained a restraining order to deactivate 277 domain names it had linked to the Waledec botnet. Severing the connection between drones and the mothership goes beyond tactics employed by the Google/StopBadware Project.  It effectively makes the targeted websites invisible, instead of slapping a prominent warning label on them. Although MS attempted to cut off only addresses used exclusively for spam, it appears that the single U.S.-based target may be a legitimate site, if a hapless drone.  While owners have the opportunity to reclaim their addresses, MS’s actions raise questions of proportionality and whether cooperation and information-sharing between prominent Internet denizens, such as MS and Google, if possible, would result in more efficient and just solutions. Their approach also highlights the tension between the need for secrecy to effectively attack the spam network and the notice usually required prior to legal action.

    One step behind. Thesixtyone.com, a site that allows the public to listen to, rate, and buy largely indie music, is looking for a hacker that can break up the bot-powered voting rings seeking to game their democratic rating system.  A laudable goal, but one spammers have already begun to circumvent by using real people instead of bots.

    Passing through the cloud. Katherine Boehret recently reviewed Pogoplug, a device that makes files web-accessible without actually storing them in the cloud.  While this type of solution doesn’t address data-portability concerns surrounding extraction of personal data in usable form – to allow seamless transition between social networking sites, for example – it does let the user to maintain more control over data instead of entrusting it entirely to the cloud.  This control prevents third parties from holding data hostage and from losing, allowing government access to, selling, or mining personal information; but users can still access their files from almost anywhere.

    Please think twice. A website launched last week illustrates the risk of publicly sharing information online.  Pleaserobme.com aggregates Twitter posts that contain location-sharing information from Foursquare in a chronological list to show the potential for exploitation by Internet users with malicious intentions.  While it’s probable that only a small set of burglars will take advantage of this information, the site is an example of a grassroots campaign to raise awareness of potential problems for users who don’t recognize how the information they freely give can be mined.  Whether this awareness leads them to alter their behavior or simply “get over it” is up to the individual.

    Facebook messaging glitch. A subset of Facebook users experienced firsthand the risk of entrusting control of personal messages to third parties.  Last Wednesday, FB accidentally sent the private messages of a “small number” of users to strangers instead of the intended recipients.  Unlike well-publicized security breaches of credit card companies and banks, the misdirected messages were largely personal in nature and contained little identifying information, so the risk of actual injury is low.  But that may not be very comforting to those who had intimate details divulged to strangers.  Some of the accounts indeed provoke a gut-level enquiry as to how privacy violation should be measured.  On the flip-side, the occasional misrouting of a letter by the Post Office doesn’t give rise to much concern – and in that case the sender is usually clearly identifiable – so why should electronic mail be afforded greater scrutiny?

    —By Jennifer Halbleib and Elisabeth Oppenheimer

  • FOI Topics and Links of the Week

    • AppMakr Transforms App Store Landscape, Enables Anyone To Make Their Own iPhone App. Gagan Biyani raves about AppMakr, a product that allows anyone to make a simple RSS-based iPhone app for $199. The company will even submit the app to the App Store. (So, for instance, Biyani put together an app that aggregates all of MobileCrunch’s offerings.) The comments on the article are worth reading — one person says that “these types of startups definitely bridge the gap between idea people and actual phone developers,” and others consider how this will change the App Store.

    Mike Petrucci’s AppMakr Saga. Mike Petrucci decided to use AppMakr to put together an app aggregating his Twitter, blog, etc, feeds…only to have Apple reject it because it wasn’t of general interest. That’s a big difference between iPhone apps and, say, web apps (blogger has definitely never rejected someone for being of limited interest). It’ll be interesting to see what line Apple decides to take on this, and how AppMakr and similar companies push them.

    Apple orders Android mention scrubbed from App Store. Speaking of Apple…they order a developer to take “Finalist in Google Android’s Developer’s Challenge!” out of the description of its app. Just silly.

    In Europe, Challenges for Google. Much attention has been paid to Google’s business in China, but Europe (particularly Italy) poses difficulties, too—different copyright laws, different privacies laws, and different free speech traditions.

    Google Buzz Privacy Issues Have Real Life Implications. However, Google has more pressing privacy concerns to worry about this week, with the rollout and reaction to Google Buzz. Google generally does just fine releasing a half-baked product and cleaning up the details later, but that’s a terrible idea when the rollout includes auto-sharing previously private information. It’s disturbing that this concern made it past however many rounds of internal testing Google did.

    —Elisabeth Oppenheimer

  • JZ on the iPad

    • JZ has recently pondered the iPad in a column in the Financial Times. Some excerpts of his thoughts…

    First, he begins with a quick history of the subtle but massive shift between the Apple II and the iPhone:

    In 1977, a 21-year-old Steve Jobs unveiled something the world had never seen before: a ready-to-program personal computer. After powering the machine up, proud Apple II owners were confronted with a cryptic blinking cursor, awaiting instructions.

    The Apple II was a clean slate, a device built – boldly – with no specific tasks in mind. Yet, despite the cursor, you did not have to know how to write programs. Instead, with a few keystrokes you could run software acquired from anyone, anywhere. The Apple II was generative. After the launch, Apple had no clue what would happen next, which meant that what happened was not limited by Mr Jobs’ hunches. Within two years, Dan Bricklin and Bob Frankston had released VisiCalc , the first digital spreadsheet, which ran on the Apple II. Suddenly businesses around the world craved machines previously marketed only to hobbyists. Apple IIs flew off the shelves. The company had to conduct research to figure out why.

    Thirty years later Apple gave us the iPhone. It was easy to use, elegant and cool – and had lots of applications right out of the box. But the company quietly dropped a fundamental feature, one signalled by the dropping of “Computer” from Apple Computer’s name: the iPhone could not be programmed by outsiders. “We define everything that is on the phone,” said Mr Jobs. “You don’t want your phone to be like a PC. The last thing you want is to have loaded three apps on your phone and then you go to make a call and it doesn’t work any more.”

    The openness on which Apple had built its original empire had been completely reversed – but the spirit was still there among users. Hackers vied to “jailbreak” the iPhone, running new apps on it despite Apple’s desire to keep it closed. Apple threatened to disable any phone that had been jailbroken, but then appeared to relent: a year after the iPhone’s introduction, it launched the App Store. … But the App Store has a catch: app developers and their software must be approved by Apple. If Apple does not like the app, for any reason, it is gone.”

    This blog has covered many of the apps that Apple has axed: the countdown to Bush’s departure, the app with information about health care, BabyShaker, religious spoofs, and programs to redirect calls, Google Voice, and I am Rich, among many others.

    But the lingering question is, so what? Is the world really worse off because we can’t pay $999 for an app that does nothing (I Am Rich), especially given that Apple’s screening system does get rid of many apps with security problems? Is this like First Amendment absolutism — a preference for open systems that doesn’t take into account actual costs and benefits?

    In response, JZ tries to imagine what we would have lost had the PC been as appliancized as the iPhone:

    To be sure, many rejected apps will not be missed. (Only eight spendthrifts bought I Am Rich before it disappeared.) And users can be protected from harmful software from suspect sources. But consider: the world wide web started as, and remains, an app. Its first versions were written by Tim Berners-Lee, a British computer scientist who was unaffiliated with any software or hardware vendor. How worthy of approval would Wikipedia have seemed when it boasted only seven articles — dubiously hoping that the public would magically provide the rest? How threatened might today’s content publishers feel by peer-to-peer apps that let iPhone users trade data from one phone to another? We know the answer to that: enough that they have persuaded Apple to exclude all such apps from the App Store.

    The web, Wikipedia, p2p — that’s a lot to lose. And at the same time we lose those benefits of generativity, as JZ points out, we give companies (and through them, governments) unprecedented censorship power. But the iPod, Pad, and Phone aren’t going anywhere. JZ concludes:

    Hope lies in more balanced combinations of open and closed systems, such as that embodied by the traditional Apple Mac – or phones based on the Android operating system from the Open Handset Alliance, a consortium of hardware, software and telecoms companies. Android Market is the approved counterpart to Apple’s App Store but, in this case, users are also free to go off-roading, installing any code they like. Android is a canary in the digital coal mine: will its more open model survive should people load suspect apps and find they cannot make calls any more?

    Mr Jobs ushered in the personal computer era and now he is trying to usher it out. We should focus on preserving our freedoms, even as the devices we acquire become more attractive and easier to use.

    —By Elisabeth Oppenheimer

  • FOI Topics and Links of the Week

    • The Extraordinaries Haiti Earthquake Support Center. A followup post on the Extraordinaries’ efforts to use ubiquitous human computing to help find missing people after the Haiti earthquake — a positive vision inspired by JZ’s nightmare scenario of crowdsourced secret police work. Did they succeed? “Yes and no”—but, as they detail, there’s obvious potential for future disaster relief.

    Amazon Cracks Open the Kindle. Amazon is opening the Kindle to outside developers who can market their products in what sounds exactly like an App Store, down to the 70-30 revenue split and and light policing of apps. (One difference is that developers have to pay for wireless delivery.) It’s seeming like this is *the* model for the next few years. Speaking of which…

    Computers Should Be More Like Toasters. The sale of the Apple Tablet could mark an important moment for generativity. Computers have been shrinking and phones have been growing—but the critical difference has been that anyone could still code for a computer, until now. The Tablet looks more like a computer than a phone, but will Apple will prescreen apps they way it does for the iPhone? Farhad Manjoo thinks that would be a good thing, but there are clear generativity costs.

    The Splinternet means the end of the Web’s golden age. Josh Bernoff points out that, as we switch to appliancized computers and smart devices instead of PCs, the web becomes a “splinternet.” Websites show up and operate differently on each device. He thinks about how to handle this from a business and marketing perspective, advising: “Here’s what not to do: panic and try to unify things again. The shattering cannot be undone.”

    Technology Changes “Outstrip” Netbooks. Meanwhile, the BBC considers the convergence among netbooks, smartphones, and tablet notebooks, and who the short- and long-term winners are likely to be.

    Apple censors Dalai Lama iPhone Apps in China. An interesting look at how censorship works on iPhones in China. (The story was written pre-Google announcement, so some portions are out of date.) Apple, complying with local law, appears to be removing apps related to the Dalai Lama in the Chinese App Store, and a search for Falun Gong apps freezes the search page. On the other hand, it’s possible to access YouTube through an iPhone app, which isn’t always possible on a PC.

    And in the crystal ball dep’t — from JZ’s book:

    Imagine entering a café in Paris with one’s personal digital assistant or mobile phone, and being able to query: “Is there anyone on my buddy list within 100 yards? Are any of the ten closest friends of my ten closest friends within 100 yards?” Although this may sound fanciful, it could quickly become mainstream. With reputation systems already advising us on what to buy, why not have them also help us make the first cut on whom to meet, to date, to befriend? These are not difficult services to offer, and there are precursors today.

    As usual, there’s an app for that… the “datecheck” app allows you to enter a name, phone number, or email address, and get information on your date. The categories are “sleaze detector” (check of criminal convictions & sex offenses), “$$$” (home ownership, etc), “interests” (gleaned from social networks), “living situation” (who they live with), and “compatibility”—although unfortunately, the “compatibility” check is still just a check of astrological signs. Now all they need is friends’ feedback rankings.

    —By Elisabeth Oppenheimer

  • Life in a clickshop

    • In talks about ubicomp, JZ gives an example of a worst-case scenario involving ubicomp platforms. He imagines that the Iranian government could use Amazon Mechanical Turk to identify dissidents, simply by posting pictures of protestors and ID-card pictures of the adults in the country, then asking Turkers to match protestor pictures to ID-card pictures. Voila—and the Turkers wouldn’t necessarily have to know what they were doing. In the department of amazingly cool ideas, though, the folks at the Extraordinaries reflected on the Iran example and then turned it around. After the earthquake in Haiti, they posted news wire pictures of people in Haiti (with crowdsourced help), asked others to post pictures of missing relatives, and finally asked volunteers to try to match the two up. This is v 1.0 of what could be a terrific and widely-used technology after natural disasters, allowing people at home to do more than just donate money.

    As we keep thinking about ubicomp and the potential upsides and downsides, it’ll be important to keep in mind that it’s a tool—a largely undeveloped one as yet—with much room to develop in both directions. In that spirit, I wanted to comment on this piece from Technology Review that casts a skeptical eye on Prof. Zittrain’s recent column in Newsweek on cloud labor (also known as ubiquitous human computing). The Newsweek editors gave the piece the ominous headline “Work the New Digital Sweatshops,” and Tech Review bloggers question whether that’s really a fair description of the Mechanical Turk platform. I’m not sure there’s a real disagreement here—the Newsweek headline overstated the content of the piece. Much of the point, as I read it, was just that cloudwork practices are so new, dynamic, and varied that it’s hard to know what the good and bad effects will turn out to be. As they point out, this could be a boon for workers here in the US who want flexibility and autonomy, as well as creating new kinds of opportunities for workers abroad. A few specific points are worth thinking about, though.

    They quote John Horton, at Harvard, who put out a HIT (“human intelligence task”) on Amazon Mechanical Turk asking about working conditions, and found that a small majority think AMT requestors treat workers better than most real-world employers. That surprised me—maybe I spend too much time reading Turker messageboards, where the theme is often discontent. I wonder, though, whether many responders use AMT for fun or small income supplements, rather than to earn a living wage, which changes the complexion of the situation. Even if Horton is wholly correct, though, it doesn’t mean requestors can’t improve. For a project I’m doing for JZ’s winter cyberlaw class, we’ve put up some AMT HITs asking about worker satisfaction. We’ve found that people do not like doing search engine optimization or creating spam, and a majority (though not an overwhelming one) likes knowing what the project is for. Disclosure of the company’s identity or the project purpose could become a much stronger norm on AMT, which would help fend off the problems of work alienation and unwittingly doing bad things with the platform, but wouldn’t detract from any of the benefits TR bloggers praise.

    The other major point they make is that this type of work can be good for workers in developing countries. That’s definitely true in some cases (see, for instance, previous blogging about CrowdFlower’s GiveWork program). I certainly don’t have enough background in international development to make an unambiguous statement either way. But surely it’s worrisome that children can be made to do the work as well as adults—there’s just no way of knowing who’s at the other end of the system. Overall, for better or for worse, we live in a society where we’ve decided that paternalistic labor laws play some valuable role. Some of them can be imported into an AMT context—but maybe not internationally—and the technology means that some can’t, even if, like child labor, there’s widespread condemnation. I would agree, and I think JZ would too, that we don’t want regulators charging in with too heavy a hand. But we should be alert to what’s happening on these platforms.

    —By Elisabeth Oppenheimer

About Jonathan Zittrain

jonathan zittrain

Jonathan Zittrain is Professor of Law at Harvard Law School and co-founder of the Berkman Center for Internet and Society at Harvard Law School

RSS Tweets from Z

  • Who controls the historical record in the digital age? http://www.youtube.com/watch?v=_kpur7yJ7EE
  • This week's roundup of news relating to Future of the Internet topics: http://bit.ly/9qRwjf
  • An amazingly generative 2-player adventure game - http://bit.ly/ayjdZ7 (introductory slideshow)
  • Shame: Edit (not author!) a book review for an academic journal, stand trial for criminal libel in France. http://bit.ly/aKqlWA (PDF)

Blog Archives

Creative Commons BY-NC-SA Jonathan Zittrain unless otherwise noted.
Powered by WordPress using Gridline Lite.