November 27, 2024

Posts Comments

Regulating Stopgap Security

May 3, 2004 by

I wrote previously about stopgap security, a scenario in which there is no feasible long-term defense against a security threat, but instead one resorts to a sequence of measures that have only short-term efficacy. Today I want to close the loop on that topic, by discussing how government might regulate fields that rely on stopgap security. I’ll assume throughout that government has some reason (which may be wise or unwise) to regulate, and that the regulation is intended to support those deploying stopgap measures to defend their systems.

The first thing to note is that stopgap areas are inherently difficult to regulate, as stopgap security causes the technological landscape to change even faster than usual. The security strategy is to switch rapidly between short-term measures; and, because adversaries tend to defeat whole families of measures at once, the measures adopted tend to vary widely over time. It is very difficult for any regulatory scheme to keep up. In stopgap areas, regulation should be viewed with even more skepticism than usual.

If we must regulate stopgap areas, the regulation must strive to be technology-neutral. Regulation that mandates one technical approach, or even one family of approaches, is likely to block necessary adaptation. Even if no technology is mandated, regulations tend to encode technological assumptions, in their basic structure or in how they define terms; and these assumptions are likely to become invalid before long, making the regulatory scheme fit the defensive technology poorly.

One of the rules for stopgap security technology is to avoid approaches that impose a long-term cost in order to get a short-term benefit. The same is true for regulation. A regulatory approach should not impose long-term costs (such as compliance costs) in order to bolster a technical approach that offers only short-term benefits. Any regulation that requires all devices to do something, for the indefinite future, would therefore be suspect. Equally so, any regulation that creates compatibility barriers between compliant devices and non-compliant devices would be suspect, since the incompatibility would frustrate attempts to stop using the compliant technology once it becomes ineffective.

Finally, it is important not to shift the costs of a security strategy away from the people who decide whether to adopt that strategy. Stopgap measures carry an unusually high risk of having a disastrous cost-benefit ratio; in the worst case they impose significant long-term costs in exchange for limited, short-term benefit. If the party choosing which stopgap to use is also the party who has to absorb any long-term cost, then that party will be suitably cautious. But if regulation shifts the potential long-term cost onto somebody else, then the risk of disastrous technical choices gets much larger.

By this point, alert readers will be thinking “This sounds like an argument against the broadcast flag.” Indeed, the FCC’s broadcast flag violates most of these rules: it mandates one technical approach (providing flexibility only within that approach), it creates compatibility barriers between compliant and non-compliant devices, and it shifts the long-term cost of compliance onto technology makers. How can the FCC have made this mistake? My guess is that they didn’t, and still don’t, realize that the broadcast flag is only a short-term stopgap.

Filed Under: Uncategorized Tagged With:

Off-the-record Conferences

April 29, 2004 by

In writing about the Harvard Speedbump conference, I noted that its organizers declared it to be off the record, so that statements made or positions expressed at the conference would not be attributed publicly to any particular person or organization. JD Lasica asks, quite reasonably, why this was done: “Can someone explain to me why a conference needs to be ‘off the record’ in order for people to exchange ideas freely? What kind of society are we living in?”

This is the second off-the-record conference I have been to in my twenty years as a researcher. The first was a long-ago conference on parallel computing. Why that one was off the record was a mystery to me then, and it still is now. Nobody there had anything controversial to say, and no participant was important enough that anyone outside a small research community would even care what was said.

As to the recent Speedbump conference, I can at least understand the motivation for putting it off the record. Some of the participants, like Cary Sherman from RIAA and Fritz Attaway from MPAA, would be understood as speaking for their organizations; and the hope was that such people might depart from their talking points and speak more freely if they knew their statements wouldn’t leave that room.

Overall, there was less posturing at this meeting than one usually sees at similar meetings. My guess is that this wasn’t because of the off-the-record rule, but just because some time has passed in the copyright wars and cooler heads are starting to prevail. Nobody at the meeting took a position that really surprised me.

As far as I could tell, there were only two or three brief exchanges that would not have happened in an on-the-record meeting. These were discussions of various deals that either might be made between different entities, or that one entity had quietly offered to another in the past. For me, these discussions were less interesting than the rest of the meeting: clearly no deal could be made in a room with thirty bystanders, and the deals that were discussed were of the sort that savvy observers of the situation might have predicted anyway.

In retrospect, it looks to me like the conference needn’t have been off the record. We could just as easily have followed the rule used in at least one other meeting I have attended, with everything on the record by default, but speakers allowed to place specific statements off the record.

To some extent, the off-the-record rule at the conference was a consequence of blogging. In pre-blog days, this issue could have been handled by not inviting any reporters to the meeting. Nowadays, at any decent-sized meeting, odds are good that several of the participants have blogs; and odds are also good that somebody will blog the meeting in real time. On the whole this is a wonderful thing; nobody has the time or money to go to every interesting conference.

I have learned a lot from bloggers’ conference reports. It would be a shame to lose them because people are afraid of being quoted.

[My plan still calls for one more post on the substance of the conference, as promised yessterday.]

Filed Under: Uncategorized

Stopgap Security

April 28, 2004 by

Another thing I learned at the Harvard Speedbumps conference (see here for a previous discussion) is that most people have poor intuition about how to use stopgap measures in security applications. By “stopgap measures” I mean measures that will fail in the long term, but might do some good in the short term while the adversary figures out how to work around them. For example, copyright owners use simple methods to identify the people who are offering files for upload on P2P networks. It’s only a matter of time before P2P designers deploy better methods for shielding their users’ identities so that today’s methods of identifying P2P users no longer work.

Standard security doctrine says that stopgap measures are a bad idea – that the right approach is to look for a long-term solution that the bad guys can’t defeat simply by changing their tactics. Standard doctrine doesn’t demand an impregnable mechanism, but it does insist that a good mechanism must not become utterly useless once the adversary adapts to it.

Yet sometimes, as in copyright owners’ war on P2P infringement, there is no good solution, and stopgap measures are the only option you have. Typically you’ll have many stopgaps to choose from. How should you decide which ones to adopt? I have three rules of thumb to suggest.

First, you should look carefully at the lifetime cost of each stopgap measure, compared to the value it will provide you. Since a measure will have a limited – and possibly quite short – lifetime, any measure that is expensive or time-consuming to deploy will be a loser. Equally unwise is any measure that incurs a long-term cost, such as a measure that requires future devices to implement obsolete stopgaps in order to remain compatible. A good stopgap can be undeployed fully once it has become obsolete.

Second, recognize that when the adversary adapts to one stopgap, he may thereby render a whole family of potential stopgaps useless. So don’t plan on rolling out an endless sequence of small variations on the same method. For example, if you encrypt data in transit, the adversary may shift to a strategy of observing your data at the destination, after the data has been decrypted. Once the adversary has done this, there is no point in changing cryptographic keys or shifting to different encryption methods. Plan to use different kinds of tactics, rather than variations on a single theme.

Third, remember that the adversary will rarely attack a stopgap head-on. Instead, he will probably work around it, by finding a tactic that makes it irrelevant. So don’t worry too much about how well your stopgap resists direct attack, and don’t choose a more expensive stopgap just because it stands up marginally better against direct attacks. If you’re throwing an oil slick onto the road in front of your adversary, you needn’t worry too much about the quality of the oil.

There are some hopeful signs that the big copyright owners are beginning to use stopgaps more effectively. But their policy prescriptions still reflect a poor understanding of stopgap strategy. In the third and final installment of my musings on speedbumps, I’ll talk about the public policy implications of the speedbump/stopgap approach to copyright enforcement.

Filed Under: Uncategorized Tagged With: ,

Extreme Branding

April 27, 2004 by

Yesterday I saw something so odd that I just can’t let it pass unrecorded.

I was on a plane from Newark to Seattle, and I noticed that I was sitting next to Adidas Man. Nearly everything about this guy bore the Adidas brand, generally both the name and the logo. His shirt. His pants. His shoes. His jacket. His suitcase. His watch. His CD player. And – I swear I’m not making this up – his wedding ring. Yes, the broad silver band worn on the fourth finger of his left hand was designed in classic wedding-band style, except for the addition of the Adidas logo, and the letters a-d-i-d-a-s embossed prominently on the outside.

Filed Under: Uncategorized

Princeton Faculty Passes Grade Quota

April 27, 2004 by

Yesterday the Princeton faculty passed the proposed grade inflation resolution (discussed here), establishing a quota on A-level grades. From now on, no more than 35% of the course grades awarded by any department may be A-level grades, and no more than 55% of independent work grades may be A-level.

I had to miss the meeting due to travel, so I can’t report directly on the debate at the faculty meeting. I’ll update this post later if I hear anything interesting about the debate.

Filed Under: Uncategorized Tagged With: