November 25, 2024

Posts Comments

A Challenging Response to Challenge-Response

May 19, 2003 by

One of the trendy ideas these days is challenge-response (CR) anti-spam technologies. The idea is simple: incoming email is intercepted before you see it, and a “challenge” email is returned to the sender. If the sender replies to the challenge message, then the original message is forwarded on to you; otherwise it is discarded. The idea is to require some kind of human involvement in the sending of each message. Sometimes the sender has to answer some kind of puzzle that is supposed to be easy for people but hard for computers.

Whenever we analyze a security technology – and that is what CR is – we need to look not only at the immediate effect of the technology, but also at how people will adapt to it. We need to look especially at how the bad guys will adapt. Will they adjust their attack strategy to defeat the new defense? Will the new defense create new opportunities for malicious attacks? Will the technology lead to an arms race between defenders and attackers? If so, can we predict the outcome of the arms race?

CR stands up poorly to this kind of analysis. To see why, suppose that Alice sends an email to Bob, and Bob is using CR. Bob’s computer sends a challenge message back to Alice and awaits her response. This challenge message had better get through to Alice; if it doesn’t, the whole scheme breaks down. If Alice is using anti-spam technology that blocks the challenge message, then she’ll never see the challenge – her original message won’t get through to Bob, and she won’t know what went wrong.

We can fix this problem by making sure that Alice’s anti-spam technology has a loophole for challenge messages, to make sure they are never blocked. (Note that although Bob is the one using CR, it is Alice who has to create the loophole.) If CR is going to succeed, most of the Alices out there will have to open the loophole. Messages with certain “challenge-ish” attributes will be mostly immune from spam controls.

At this point, the bad guys’ response is obvious: create spam that can exploit the loophole, spam that looks like a challenge message. If they can do this, then CR will have made things worse – spam will pour in through the loophole.

We might try to solve this problem by narrowing the loophole, requiring the challenge messages to be so narrowly stylized that they cannot carry a spam. This too creates an opportunity for the spammers. If the challenges are so predictable, then the spammers will be able to develop computer programs that spot the challenges and auto-send the required responses. If they can do this, then the spammers can just add automated CR responses to their automated email-sending software, and continue to pollute our inboxes.

Given all of this, I’m skeptical of CR as a response to email. If you’re the first on your block to adopt CR, and if nobody else uses anti-spam technology, then CR might provide you some modest benefit. But it’s hard to see how CR can be widely successful in a world where most people use some kind of spam defense.

Filed Under: Uncategorized Tagged With:

Kerr on Cybercrime Laws

May 15, 2003 by

Orin Kerr has written an.interesting paper, “Cybercrime’s Scope: Interpreting ‘Access’ and ‘Authorization’ in Computer Misuse Statutes,” in which he argues for a new way of understanding the prohibition, in the Computer Fraud and Abuse Act (CFAA) and other laws, on “access … without authorization” to a computer. It’s a long, dense law review article, but it’s definitely worth reading if you are interested in cybercrime law.

Both “access” and “authorization” turn out to be harder to interpret than one might think. Kerr argues convincingly that courts have interpreted these words inconsistently, and that the trend has been toward an overly broad interpretation that would effectively criminalize any violation of the Terms of Use of any online service. While such violations may be breaches of contract subject to civil lawsuit, it is unwise to criminalize every breach of contract. Criminal law is a sharp tool to be used only when necessary.

While he would narrow the interpretation of the CFAA, Kerr would not eliminate the CFAA entirely. He provides two main examples of the kind of acts he would still criminalize. The first example involves stealing or guessing a password to gain access to a password-protected service running on somebody else’s computer. More generally, he would ban any circumvention of an authentication mechanism used to control access to somebody else’s computer. The second example involves computer attacks that exploit a program bug (such as a buffer overflow) to seize control of a program running on somebody else’s computer.

Thus far, I was reasonably convinced by Kerr’s arguments. But now we come to the part that I found harder to swallow, in which he argues that “courts …should narrow the scope of unauthorized access statutes to circumvention of code-based restrictions on computer privileges.”

Talk of banning “circumvention” may raise ugly comparisons to the DMCA, but that’s a red herring. Kerr makes clear that he is talking only about code-based restrictions on access to other people’s computers. The egregious aspects of the DMCA, by contrast, are, first, that it allows someone to lock you out of parts of your own computer, and second, that it includes a broad ban on certain technologies. Kerr’s proposal suffers from neither of these flaws. While enshrining “circumvention” as a central concept in cybercrime law might be inconvenient rhetorically for DMCA opponents, it’s no problem substantively.

My skepticism about Kerr’s formulation is based instead on two issues. First, I suspect that “circumvention” may turn out to be just as slippery a term as “authorization.” Password-guessing is clearly circumvention, but that’s an easy case. When the facts are more complicated, judges will have a harder time figuring out what is circumvention and what is just clever action.

Here’s an example. Suppose you lock the front door of your house. If I pick the lock, that’s circumvention. But suppose I enter through the back door. Have I circumvented the front door lock? What if I crawl in an open window next to the front door? Is that a circumvention? “Circumvention,” like “authorization,”ends up entangled in a subtle calculus of expectations and social norms.

Kerr’s example of a buffer-overflow attack illustrates another problem with “circumvention.” Suppose that a bad guy sends your computer a sort of “ping of death” packet, and that because of a bug in your operating system, this packet allows him to seize control of your computer. What exactly is the “code-based restriction” that he has circumvented? You could argue that he has circumvented the absence of a method for controlling your machine from afar; but it seems like a stretch to claim that that absence is a “code-based restriction.”

What really happened in this example is that the bad guy exploited a difference between the way you thought your system worked, and the way it actually did work. This is a useful distinction that courts have recognized (as Kerr notes), but it doesn’t seem to fit neatly within Kerr’s framework.

My second objection to Kerr’s conclusion is more fundamental. Kerr’s strong argument for carefully tailored cybercrime law compels him to justify having a broader “circumvention” ban rather than a set of more narrow bans on specific actions, such as circumvention of certain authentication features. He does offer some justification, but I am not yet convinced. (It’s also worth noting that Kerr’s approach may be expedient, even if it’s not the best possible solution from a purely theoretical standpoint. For example, it may be easier to convince courts to adopt a “circumvention” interpretation of the CFAA than it would be to get either courts or Congress to rewrite cybercrime law around a family of narrower prohibitions.)

Finally, Kerr’s paper is a valuable reminder of how much we rely on the discretion of prosecutors and judges to make cybercrime law work. So far, this discretion has moderated the defects in current law, but that’s no excuse for complacency. We need to talk about what the law should be. Kerr’s paper is a valuable contribution to that discussion.

Filed Under: Uncategorized Tagged With:

Super-DMCA Update (Texas)

May 13, 2003 by

The Texas version of the Super-DMCA has been passed by the relevant committees in both the state House and Senate. It will probably come to a vote in the Senate later this week. If you’re a Texas resident, this would be good time to contact your state senator!

Filed Under: Uncategorized Tagged With:

iLoo: Joke, Blunder, or Both?

May 13, 2003 by

Business Week reports on the saga of iLoo, the Internet-enabled portable toilet announced last week by a British subsidiary of Microsoft. Microsoft is now claiming that this was just an April Fools’ joke, despite a body of evidence to the contrary.

The ordinary custom is to announce April Fools’ jokes on April 1. This one was announced on May 2. I know missed deadlines are a way of life in the software industry, but this is ridiculous.

You really should read the whole article. But if you can’t, here’s the end:

[An MSN UK spokesman] said that MSN UK, however, has engaged in pranks before. He noted that the group once announced that it had wired up a park bench for Internet access. He then corrected himself, stating that the bench, in fact, was a real demonstration.

Filed Under: Uncategorized Tagged With:

New Media: Success or Failure?

May 12, 2003 by

Mary Hodder at bIPlog points to Steve Lohr’s odd piece, “New Media: Ready for the Dustbin of History?” in Sunday’s New York Times. Mary argues that Lohr’s thesis – that the Internet has failed, except as a vehicle for e-commerce – is bunk. I agree.

Lohr makes two errors. First, he mistakes the financial failure of dotcom startups for a lack of social impact. Yes, many people lost money when the dotcom bubble burst. But the Internet kept chugging along, and the pace of real innovation (as opposed to “let’s sell pet food on the Net” pseudo-innovation) didn’t change.

The airlines are a perfect illustration of this profit-as-social-impact fallacy. The airline business has been, at best, a break-even proposition over its entire history. Despite their lack of profitability, the airlines have given us (relatively) cheap and easy air travel, and transformed our lives.

Lohr’s second fallacy is mistake the bad forecasts of a few prognosticators for the failure of an industry. Some of the “new media” visionaries turned out to be wrong in their detailed visions, but that doesn’t mean that online media were irrelevant.

It’s hard to predict the future. We shouldn’t be too surprised that the vision of online magazine Slate, as forecast by editor Michael Kinsley in 1996, hasn’t completely come to pass. Despite its midcourse corrections, Slate has been a cultural success, earning a dedicated readership and publishing a lot of good writing.

Internet pioneers should remember that it’s not always easy being on the cutting edge. Sometimes you lose money. Sometimes you misjudge the future. Even so, you’re creating something that changes the world.

Filed Under: Uncategorized