Liudvikas Bukys

Moore, Paxson, Savage, Shannon, Staniford, Weaver: The Spread of the Sapphire/Slammer Worm

The Chronicle of Higher Education 2/21/2003 – Control Issues. Microsoft‘s plan to improve computer security could set off fight over use of online materials

[ … ]

Colleges would decide whether to buy Palladium-capable software and hardware, and then whether to activate Palladium’s security functions. But practically speaking, they would face enormous pressures to do so, especially if publishers of books, journals, software, and other electronic “content” were to adopt Microsoft’s standard to deliver their materials online. The publishers could dictate that colleges had to use Palladium or else be denied access to the material. That worries many in academe, who believe that publishers would use Palladium to bar some uses of digital materials to which scholars argue that they are entitled under copyright law. That loss may outweigh the advantages of tighter security over student records, the critics say.

“If Palladium is adopted, and if other technology vendors exploit it fully to restrict access to copyrighted works, education and research will suffer,” says Edward W. Felten, an associate professor of computer science at Princeton University, who was the U.S. Justice Department‘s chief computer-science expert in its antitrust case against Microsoft.

[ … ]

Palladium’s software components will be part of the next major version of Windows, which Microsoft has said it may release toward the end of 2004. Some hardware components that Palladium needs, including a security chip, are available already in a notebook computer, the IBM ThinkPad T30. Chip manufacturers and the major computer companies — Dell, “Gateway”, Hew-lett-Packard, and IBM, among others — have begun work to redesign PC’s so that they will work with Palladium software.

A key component of Microsoft’s new technology is the “nexus,” a minisystem that runs in a sealed-off area in the computer’s memory, where private transactions can be conducted, and where designated security and copyright policies would be enforced. In theory, the nexus is immune to many of the problems that plague Windows machines, like viruses.

[ … ]

“It’s definitely going to solve a lot of security problems, but it’s like any kind of new technology,” says William A. Arbaugh, an assistant professor of computer science at the University of Maryland at College Park. “It can do good or evil.”

Whether it is used for “good” or “evil,” he says, will depend on who gets to control the technology — colleges or the publishers whose “content” the colleges use.

[ … ]

With Palladium, owners of content would gain at the expense of consumers of content, including professors and students, says Eben Moglen, a professor of law and legal history at Columbia University. In fact, if Palladium were to become a widely accepted way of protecting copyrighted material, Mr. Moglen says, it would create “a closed system, in which each piece of knowledge in the world is identified with a particular owner, and that owner has a right to resist its copying, modification, and redistribution.”

In such a scenario, he says, “the very concept of fair use has been lost.”

Ross Anderson, who holds a faculty post as a reader in security engineering at the University of Cambridge’s Computer Laboratory, says Palladium will “turn the clock back” to the days before online information was widely available.

[ … ]

Some critics, like Mr. Schiller, say Palladium might achieve the results intended by the Uniform Computer Information Transactions Act, a model law devised by the National Conference of Commissioners on Uniform State Laws, which has been enacted only in Maryland and Virginia. UCITA is “an attempt to give these software licenses the force of a signed contract, even though you didn’t sign a contract,” Mr. Schiller says. With Palladium, technology would “enforce” the licenses de facto, he says.

Microsoft insists that its new technology is a neutral platform. “It is certainly possible that an application vendor could choose to use [Palladium] to evaluate and enforce some software licensing terms,” acknowledges Ms. Carroll. But “at the end of the day,” she says, “the terms of the license for an application are strictly an issue between the vendor and the university.”

Others think Palladium would be an anti-competitive tool in the hands of software publishers, especially Microsoft, which, in 1999, was found guilty by a federal-district court of monopolistic practices. With Palladium, software publishers could decide to create programs that refuse to work with rival programs, a tactic that is difficult for them to get away with now, says Seth Schoen, a staff technologist at the Electronic Frontier Foundation, a group that promotes civil liberties in cyberspace.

[ … ]

Will MIT, whose researchers have studied Palladium, want to run it? Maybe not, says Mr. Schiller, the university’s network manager. “Personally, I would never use this technology,” he says. As for MIT, though, it’s an open question, he says. “Palladium has to become more real for us to really decide if we can use it.”

“If I had my druthers, I’d love the technology to be available and used for all the good things we could use it for,” Mr. Schiller says. “But I’m enough of a realist to know that’s not how it’s going to play out.”

[Privacy Digest]

Strategies for Securing Cyberspace and Protection of Infrastructure Released:

The National Strategy to Secure Cyberspace and the National
Strategy for the Physical Protection of Critical Infrastructures and
Key Assets will help us protect America from those who would do us
harm, whether through physical destruction or by attacking our
infrastructures through cyberspace.

These strategies recognize that the majority of our critical assets
and infrastructures, such as those in the banking, telecommunications,
energy, and transportation sectors, are privately owned and operated.
The strategies outline Federal efforts and State and local roles in
securing the Nation’s critical infrastructures, and identify
opportunities for partnership with the private sector. The Department
of Homeland Security will take the lead in accomplishing many of the
objectives of these strategies. Other departments and agencies also
have important roles to play. I encourage everyone, government at all
levels, industry, and private citizens to continue to work together to
make our nation secure.

ESJ: Aberdeen security predictions for 2003:

• “What we’re saying here is that [the] original notion of IDS has just fallen over at this point.”
  The problem is that an IDS that flags anything possibly malicious simply produces too many alerts, says the analyst. “If you’re dealing with more alerts than you can interpret, it doesn’t do you any good.” So companies today opt for more than just alerts. “Increasingly, we’ll see them not just looking for IDS, but intrusion prevention,” he says. Of course not everything can be prevented, but more automation at least frees security managers from just responding to alerts all day.
• Another interesting prediction is that this is the year e-mail administrators will take back the network. “Last year, about 25% of what went through corporate gateways was spam,” says Hemmendinger. “We think it doubles this year, and that’s because the spam artists are sufficiently creative that they’ve been able to stay ahead of the bulk of the tools that are in the marketplace.”

Lots of good stuff related to digital identity management can be found at the
weblog of Andre Durand.

RIPE/NCC: Sapphire/Slammer Worm
Impact on Internet Performance
“Looking at all data we can conclude that the Internet did not come to a global “meltdown” even though some individual sites were highly affected by this worm. Sixty percent of the measured relations do not show any sign of deterioration. This indicates most backbone links were fine and the problems were localized in edge sites or their immediate upstream provider. Also, eleven of the thirteen root servers remained accessible.”

State Attorney General Eliot Spitzer today announced
a multistate agreement with high-tech publisher Ziff Davis Media Inc. to redress an Internet security breach that exposed the personal information of thousands of magazine subscribers online.

SlashDot: Kevin Mitnick:

• “In that same defamatory article, Mr. Markoff falsely claimed that I had wiretapped the FBI (I hadn’t), that I had broken into the computers at NORAD (which aren’t even connected to any network on the outside), and that I was a computer “vandal” despite the fact that I never intentionally damaged any data I’ve ever accessed.”
• “As described below, I was never accused of abusing a position of trust, profiting from any illegal activity, or intentionally destroying information or computer systems.”
• “I believe that former non-malicious (no intent to cause harm) hackers can be extremely valuable in helping businesses identify their weaknesses in technologies and procedures.”

To which I respond:

“A number of systems at the University of Rochester
were compromised during the Shimomura incident.
The compromises included deliberate destruction of
log files. So which is it:

• Deliberate destruction of log files doesn’t count as deliberate destruction according to KM?
• Somebody else did it?
• Oops, caught in a lie?”

Robert Graham on SQL Slammer:

• Internet Infection was instantaneous
• For individuals, it was binary, a square-wave
• Better patch management would not have solved this
• Easy – and obvious – remediation
• The worm attacked everyone, all at once
• Worst attack ever

“ ‘This is a wake up call’
This is what they say every time a worm hits. It’s hard to believe them when their next sentence contains statements that demonstrate that they still don’t get it.”

White Hat Security:
Cross-Site Tracing (XST)
[Press Release]
[White Paper]