Security panel

Publié le par

Saturday 10h15 [Video]

Moderator: Jane Bailey

Speakers:

  • Joel Reidenberg , States and Internet Enforcement
  • Jennifer Chandler , Internet Security

JC: Was infected by Blaster. It required no positive action by user: passive failure to patch.

Monetary losses from a general point of view, loss of confidence in a supposedly efficient system. 200 billion US$ is a figure often quoted for damages caused by security failures.

Not merely economic losses: also a problems when it affects critical infrastructure. e.g. power plants

Possibiliy of censorship on unpopular sites via DOS attacks. A risk in a digital democracy. It’s a concern to have: e.g. al jazeera english site during irak war. Hacking? Natural DoS?

She’ll focus on availabilty of ressources, in regard of distributed Dos attacks.

Underlying cause: bad software rushed to marked; users that do not patch, use a firewall, scan for viruses; ISPs that refuse to scan for zombies. The hacker who controls the zombies.

Going after the hackers and the ISPs is not her focus.

From the point of view of end users: patches are poorly written and tend to break stuff. People are weary. Rapid rate of patches. Fake security alerts that try to install trojans. Changes to licensing agreements. It’s an exterrnality problem: there are no consequences for you. It’s too much pain to patch though.

Solutions:

  • Fine and disablement from ISP/corporate/school nwtwork.
  • Liability of compromised users
  • Mandatory automatic updates from MS

Biology analogies: crapware = innoculation to ensure we’re not too dependant on software that can, in the end, never be totally secure. Monoculture = vulnerable.

Liability of software developers:

  • The target of DDoS has clean hands.
  • The target has damages (usually high profile corp).
  • The target has no contract with MS (or other corp).

a) you need a duty of care from the defendant (a duty not to create situations of unsual risk e.g. landlords liable for unsecure premises when there are attacks by 3rd parties).

b) peer economic loss, policy analysis

JR: Malicious code can be good: they offer the opportunity for states to focus on issues of jurisdiction.

The french Yahoo case: the failure by a country to enforce it’s democratically chosen policy is an abdication of it’s duties to it’s citizens.

Code == lex informatica

There has always been a policy injected into the architecture: ARPA and the Internet.

Public reengineering: ex ante automatic enforcment. DRM

.NET passport: collect data from users to manage passwords. MS was able to collect a mass of data. Legal in the US: no one care about privacy in the US. Problem in the EU. MS reengineered the product design.

Successful efforts to get Paypal to refuse to process payment from online casinos

Porn in the US: CIPA. Architecture to enforce policy decision.

Using intermediaries as enforcers: DMCA notice and takedown, going after the money, orders to ISP to block sites.

Worms and viruses have police power. e.g. attacking MS update site. Spam blacklists being shut down by Ddos. Same devices could be used by states.

Tools:

  • Electronic border: China’s firewall. Yahoo french border. Indias’s yahoo NG shutdown.
  • electronic blocaderestrain violator: interception of packets
  • electronic sanctions: actions to shut down/disable

We should aim for the least intrusive device to achieve sanctions: consider magnitude of threat relative to public order. Urgency of the threat. Effectivness of the tool. Identification of the ultimate goal

JZ asks: Should we block ports used by windows networking for example? Should the ISPs be allowed/encouraged to police their networks in that way?

The answer was not as concise and to the point than the question. It is indeed tough to find the sweet spot between end-to-end and attribution of liability (and the defensive measures by potentially liable parties).