April 24, 2014

avatar

Stopgap Security

Another thing I learned at the Harvard Speedbumps conference (see here for a previous discussion) is that most people have poor intuition about how to use stopgap measures in security applications. By “stopgap measures” I mean measures that will fail in the long term, but might do some good in the short term while the adversary figures out how to work around them. For example, copyright owners use simple methods to identify the people who are offering files for upload on P2P networks. It’s only a matter of time before P2P designers deploy better methods for shielding their users’ identities so that today’s methods of identifying P2P users no longer work.

Standard security doctrine says that stopgap measures are a bad idea – that the right approach is to look for a long-term solution that the bad guys can’t defeat simply by changing their tactics. Standard doctrine doesn’t demand an impregnable mechanism, but it does insist that a good mechanism must not become utterly useless once the adversary adapts to it.

Yet sometimes, as in copyright owners’ war on P2P infringement, there is no good solution, and stopgap measures are the only option you have. Typically you’ll have many stopgaps to choose from. How should you decide which ones to adopt? I have three rules of thumb to suggest.

First, you should look carefully at the lifetime cost of each stopgap measure, compared to the value it will provide you. Since a measure will have a limited – and possibly quite short – lifetime, any measure that is expensive or time-consuming to deploy will be a loser. Equally unwise is any measure that incurs a long-term cost, such as a measure that requires future devices to implement obsolete stopgaps in order to remain compatible. A good stopgap can be undeployed fully once it has become obsolete.

Second, recognize that when the adversary adapts to one stopgap, he may thereby render a whole family of potential stopgaps useless. So don’t plan on rolling out an endless sequence of small variations on the same method. For example, if you encrypt data in transit, the adversary may shift to a strategy of observing your data at the destination, after the data has been decrypted. Once the adversary has done this, there is no point in changing cryptographic keys or shifting to different encryption methods. Plan to use different kinds of tactics, rather than variations on a single theme.

Third, remember that the adversary will rarely attack a stopgap head-on. Instead, he will probably work around it, by finding a tactic that makes it irrelevant. So don’t worry too much about how well your stopgap resists direct attack, and don’t choose a more expensive stopgap just because it stands up marginally better against direct attacks. If you’re throwing an oil slick onto the road in front of your adversary, you needn’t worry too much about the quality of the oil.

There are some hopeful signs that the big copyright owners are beginning to use stopgaps more effectively. But their policy prescriptions still reflect a poor understanding of stopgap strategy. In the third and final installment of my musings on speedbumps, I’ll talk about the public policy implications of the speedbump/stopgap approach to copyright enforcement.

Comments

  1. Copyfight says:

    The Best Defense is a Good Offense

    Ed Felten continues his series on the recent Speed Bump conference at the Berkman Center with a discussion of some guidelines for designing effective stopgap security measures (Stopgap Security). His previous post on the conference (What is a Speedbump…

  2. Cypherpunk says:

    I am not so sure that P2P systems can adapt as easily as you suggest to hide their users’ identities. I often see this suggested but the analysis never goes beyond “use encryption”. That won’t help; the present lawsuits don’t rely in any way on eavesdropping or unauthorized access to data.

    The other idea I can think of is to use some kind of forwarding proxies or intermediaries for the end users to hide behind; but besides being technically difficult because it will slow down data transmissions (just try using Freenet), the forwarders would still be vulnerable to being sued for vicarious and contributory infringement.

    What’s the big secret here that I’m missing? How will the lawsuit-proof P2P network of the future operate?

  3. Rob Rose says:

    I’m wondering if the next stage of P2P is not hosting infringing content at all. If two different people are supplying two apparently random bitstrings and a third person is supplying a math function then nobody is infringing on anything. If the three are combined then one possible assemblage is then a infringing file.

    I’m not a lawyer, but it would seem to be analogous to infringement on patented mechanical devices. If my recollection of patent law from way way long ago is correct it is illegal for someone to manufacturer a patented mechanical device unless licensed, but they could produce parts that could be assembled into an infringing device. The act of assemblage infringes the patent, and hence the end buyer becomes the criminal instead of the parts supplier.

  4. Ernest Miller says:

    Even if that worked as a legal hack, such a system would likely be vulnerable to a number of different attacks.

  5. Chris Brand says:

    If I were designing a P2P system, I’d design it so that the downloader had to click to say that they were authorized to download the file. That may be enough to protect the “uploader” (or else declare click-through agreements to be unenforceable, which would be no bad thing). The RIAA’s case against downloaders is far weaker than that against uploaders (no distribution or publication).
    The interesting question is how the RIAA could go after downloaders. As I understand it, they finger uploaders by downloading from them (certainly that’s the case with the CRIA in Canada). So presumably they’d finger downloaders by uploading to them. But if they’re the rights holder, doesn’t them providing the file for download imply that they’ve authorised you to download it ?

  6. David Chase says:

    Ugh. Number one, don’t get too cute, the law is not a set of mathematical theorems giving definitive answers (and time in court to present your side of the “proof” costs big money).

    Number two, I really don’t like the way that the RIAA is driving the P2P crowd to develop ever-more-sophisticated ways to communicate anonymously/untraceably. There are bad people out there, but fortunately most of their work has been of the Mr. Evil caliber rather than Dr. Evil (i.e., bombs triggered by cell phones, reusing SIM chips, that sort of thing). Given their preference for off-the-shelf-technology, I prefer that tracing/eavesdropping-proof P2P communication not become OTST.

    Number three, speaking only for myself, I have thus far derived zero benefit from P2P file sharing (because I don’t use it), and instead see only (indirect) costs, either because of potential reuse of the technology by criminal enterprises, or because of increasingly loony steps taken by the RIAA/labels in their attempts to thwart ripping and sharing of their music.

    Where the fault lies, I am not sure. Perhaps, just perhaps, all the P2P users are using the network in the same way that I use college radio (“what do I really want to buy?”) If that is true — and this is a runnable experiment, the labels could put up sample clips of some artists, not others, and see if this had any effect on (1) CD/iTMS sales or (2) P2P traffic — then the RIAA “should” back off (and it might even be in their economic interests to do so). If, on the other hand, it turns out that the P2P users are just a batch of copyright pirates, well, do we really need to spend a lot of time perfecting technology whose primary purpose is violating copyright (or worse)? I make my living in the IP business, I use GPL’d and other open-source-licensed products all the time — if not for copyright, this stuff would not be here.

  7. a little ludwig goes a long way says:

    Around the web this week

    Ed Felten on Stopgap Security — great pragmatic counsel on securing systems. A constant stream of judicious speedbumps may be a cost effective strategy. Blosxom 3.0 alpha available. I continue to find this solution compelling and may switch to…

  8. Roland Schulz says:

    I doubt putting up a few sample clips would really be an appropriate way to emulate the P2P networks by the labels. It leaves out the implicit ranking that is done by the uploader (since he will usually only offer for upload what he thinks is good). A song or movie well spread on a P2P network already tells the downloader that many people liked this content. P2P web pages like sharereactor (offline) go a lot further by providing a description of the content, usually with links to imdb.com or other relevant information, quite similar to what amazon features, but centered on the needs of the community that up and downloads the content. To recreate this network of impartial references of peers and implicit or explicit ranking would be a big amount of work for the content industry, and, given the tendency of especially the music industry to try to force the customer to comply with their market view instead of adjusting their offers to the actual demands, I don’t have too much hope on that happening :)

    Given this, imho Davids experiment is likely to not make any impact on CD sales or P2P traffic at all, especially if it involves only a small selection of titles. Holding to the comparison with the college radio example, it lacks the implicit ranking of the DJ who tries to play music people actually want to hear (or that he himself wants to hear in some cases:)

    Off topic, I’d like to see some research into how downloads in P2P networks affect concert and other media event sales. This part of the music industry is growing rapidly to my knowledge, and even ever rising prices for tickets don’t seem to stem the flow of people attending live events. One of the arguments the music industry makes against P2P is that it fails to pay the artists themselves. Independent and contract artists alike might very well profit from actively pushing their work to P2P networks, thereby gaining audience for live events, which, afaik, offer a lot more profit for the artist then what comes out of CD sales.

  9. Freedom to Tinker says:

    Regulating Stopgap Security

    I wrote previously about stopgap security, a scenario in which there is no feasible long-term defense against a security threat, but instead one resorts to a sequence of measures that have only short-term efficacy. Today I want to close the loop on tha…

  10. Ernest Miller says:

    Use your Turing tests. The RIAA can outsource responding to the tests to India or somewhere else where labor is cheap. Of course, always requiring a Turing test makes using the software slightly more inconvenient, and thus a legal alternative more attractive.