Category Archives: Research

Firing Range or Virus Aquarium?

xkcdnetwork.png DARPA wants to build cyber firing ranges:
DARPA is interested in the full spectrum of network range capabilities, from network simulations and virtual test ranges that simulate future range architectures and protocols, to physical implementation of networks. Additionally, DARPA is interested in the full spectrum of testing environments – from individual hosts, to single enclaves and local area networks, to world-wide Wide Area Networks (WAN).

DARPA seeks network firing ranges for cyber weaponry, Keep out, war-warez test in progress, By Lewis Page, The Register, Published Tuesday 4th December 2007 13:50 GMT

Hey, looks like Randall Munro already proposed the single enclave part of this in his comic, xkcd. Somebody’s going to make a bundle selling cyber ant farms and leasing DARPA the rights to shoot cyber bullets at them.

-jsq

Wealth of Internet Miscreants: Beyond Law Enforcement to Disrupting the Criminal Economy

figure4.gif How to get rich quick through ecrime:

This paper studies an active underground economy which specializes in the commoditization of activities such as credit card fraud, identity theft, spamming, phishing, online credential theft, and the sale of compromised hosts. Using a seven month trace of logs collected from an active underground market operating on public Internet chat networks, we measure how the shift from "hacking for fun" to "hacking for profit" has given birth to a societal substrate mature enough to steal wealth into the millions of dollars in less than one year.

An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants Jason Franklin, Vern Paxson, Adrian Perrig, and Stefan Savage. Proc. ACM CCS, October 2007.

How to stop it? Law enforcement is good, but insufficient. Ditto traditional technological Internet security methods. We already knew that. What now?

Real progress will be made by disrupting the criminal economy by poisoning trust. Read the paper for the authors’ suggestions of Sybil attacks and slander attacks. Make the criminals’ identities unreliable and poison their reputations.

This is considered the paper of the year by some prominent computer security professionals, and for good reason.

-jsq

eCrime Papers Posted

ecrimetitle.gif The APWG eCrime Researchers Summit has released its papers by linking them to its agenda. Lots of interesting stuff there about phishing and website takedown, capture and recapture, password reuse, behavorial reaction, etc.

There were also sessions on getting technology solutions adopted and user education, but those appeared to be panels, and don’t have papers posted.

-jsq

Bananas and Apples: Another Monoculture

banana-bunch_d.gif Yes, we will have no bananas, again:

Most commercial growing facilities handle just a single banana type — the one we Americans slice into our morning cereal.

How much time is left for the Cavendish? Some scientists say five years; some say 10. Others hold out hope that it will be much longer. Aguilar has his own particular worst-case scenario, his own nightmare. "What happens," he says, with a very intent look, "is that Panama disease comes before we have a good replacement. What happens then," he says, nearly shuddering in the shade of a towering banana plant, "is that people change. To apples."

Can This Fruit Be Saved? By Dan Koeppel, popsci.com, June 2005

Cavendish is the variety of banana eaten the world around. "Quite possibly the world’s perfect food," says Chiquita. But perfection comes with a price if it leads to monoculture. And that’s what we’ve got with bananas: every commercial Cavendish banana tree is grown from cuttings of the original tree, and so is genetically identical. Banana monoculture has borne the fruit of disaster before.

Growers adopted a frenzied strategy of shifting crops to unused land, maintaining the supply of bananas to the public but at great financial and environmental expense — the tactic destroyed millions of acres of rainforest. By 1960, the major importers were nearly bankrupt, and the future of the fruit was in jeopardy. (Some of the shortages during that time entered the fabric of popular culture; the 1923 musical hit "Yes! We Have No Bananas" is said to have been written after songwriters Frank Silver and Irving Cohn were denied in an attempt to purchase their favorite fruit by a syntactically colorful, out-of-stock neighborhood grocer.) U.S. banana executives were hesitant to recognize the crisis facing the Gros Michel, according to John Soluri, a history professor at Carnegie Mellon University and author of Banana Cultures, an upcoming book on the fruit. "Many of them waited until the last minute."

Denial in the face of a clear and present ecological danger. We’ve seen this before.

Continue reading

Quantitative >= Qualitative

See Pete Lindstrom’s Spire Security Viewpoint for empirical evidence that mechanical quantitative diagnosis is almost always at least as good as clinical qualitative diagnosis.

There is still plenty of room for qualitative decision-making in arenas where there aren’t enough facts or the facts haven’t been quantified or there’s no baseline or there’s no mechanical method yet. But where those things are available, it’s better to use them. You’ll still need qualitative judgement for cases where the algorithm is right but it didn’t take into effect unfortunate side effects, for instance. Even then, you’ve got a better chance of knowing what you’re doing.

-jsq

Metricon: Puzzle vs. Mystery

rct_pointing2.jpg Here at Metricon 2.0, many interesting talks, as expected.

For example, Russell Cameron Thomas of Meritology mentioned the difference between puzzle thinking (looking only under the light you know) and mystery thinking (shining a light into unknown areas to see what else is out there). Seems to me most of traditional security is puzzle thinking. Other speakers and questioners said things in other talks like "that’s a business question that we can’t control" (literally throwing up hands); we can only measure where "we can intervene"; "we don’t have enough information" to form an opinion, etc. That’s all puzzle thinking.

Which is unfortunate, given that measuring only what you know makes measurements hard to relate to business needs, hard to apply to new, previously unknown problems, and very hard to use to deal with problems you cannot fix.

Let me hasten to add that Thomas’s talk, entitled "Security Meta Metrics—Measuring Agility, Learning, and Unintended Consequence", went beyond these puzzle difficulties and into mysteries such as uncertainty and mitigation.

Not only that, but his approach of an inner operational loop (puzzle) tuned by an outer research loop (mystery) is strongly reminiscent of John R. Boyd’s OODA loop. Thomas does not appear to have been aware of Boyd, which maybe is evidence that by reinventing much the same process description Thomas has validated that Boyd was onto something.

-jsq

Bill Gates Considered as Evil Primitive Bacterium

archaea-tree-woese.jpg Has Freeman Dyson become an evolution denier?

Whatever Carl Woese writes, even in a speculative vein, needs to be taken seriously. In his "New Biology" article, he is postulating a golden age of pre-Darwinian life, when horizontal gene transfer was universal and separate species did not yet exist. Life was then a community of cells of various kinds, sharing their genetic information so that clever chemical tricks and catalytic processes invented by one creature could be inherited by all of them. Evolution was a communal affair, the whole community advancing in metabolic and reproductive efficiency as the genes of the most efficient cells were shared. Evolution could be rapid, as new chemical devices could be evolved simultaneously by cells of different kinds working in parallel and then reassembled in a single cell by horizontal gene transfer.

But then, one evil day, a cell resembling a primitive bacterium happened to find itself one jump ahead of its neighbors in efficiency. That cell, anticipating Bill Gates by three billion years, separated itself from the community and refused to share. Its offspring became the first species of bacteria—and the first species of any kind—reserving their intellectual property for their own private use. With their superior efficiency, the bacteria continued to prosper and to evolve separately, while the rest of the community continued its communal life. Some millions of years later, another cell separated itself from the community and became the ancestor of the archea. Some time after that, a third cell separated itself and became the ancestor of the eukaryotes. And so it went on, until nothing was left of the community and all life was divided into species. The Darwinian interlude had begun.

Our Biotech Future, By Freeman Dyson, New York Review of Books, Volume 54, Number 12 · July 19, 2007

Has he sold out for an admittedly very fetching simile?

Continue reading

Vulnerability Auction

WabiSabiLabi Here’s a thought: pay security researchers, and get the pay from a variety of sources:

According to Herman Zampariolo, CEO of WSLabi, We decided to set up this portal for selling security research because although there are many researchers out there who discover vulnerabilities very few of them are able or willing to report it to the right people due to the fear of being exploited. Recently it was reported that although researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new vulnerabilities found in code could be as high as 139,362 per year. Our intention is that the marketplace facility on WSLabi will enable security researchers to get a fair price for their findings and ensure that they will no longer be forced to give them away for free or sell them to cyber-criminals.

Finally a Marketplace Site for Security Research, WabiSabiLabi, Tuesday, 03 July 2007

It’s not clear to me that they would be "forced" to sell them to cyber-criminals, but this should give them incentive not to. And WSLabi first verifies who the researcher is and replicates the exploit independently before packing and marketing it, thus reducing chances of fraud or mistaken identification.

Continue reading