Research and commentary on digital technologies in public life
Internet security guru Steve Bellovin proposed today an important new Internet standard, RFC 3514, which creates a new “evil bit” in Internet Protocol packet headers. The evil bit is required to be set in all malicious packets. RFC 3514 fully examines the ramifications of this innovative proposal, including a discussion of what existing systems must do to maintain their current behavior.
Definitely a classic in the genre.
The states of Massachusetts and Texas are preparing to consider bills that apparently are intended to extend the national Digital Millennium Copyright Act. (TX bill; MA bill) The bills are obviously related to each other somehow, since they are textually similar.
Here is one example of the far-reaching harmful effects of these bills. Both bills would flatly ban the possession, sale, or use of technologies that “conceal from a communication service provider … the existence or place of origin or destination of any communication”. Your ISP is a communication service provider, so anything that concealed the origin or destination of any communication from your ISP would be illegal – with no exceptions.
If you send or receive your email via an encrypted connection, you’re in violation, because the “To” and “From” lines of the emails are concealed from your ISP by encryption. (The encryption conceals the destinations of outgoing messages, and the sources of incoming messages.)
Worse yet, Network Address Translation (NAT), a technology widely used for enterprise security, operates by translating the “from” and “to” fields of Internet packets, thereby concealing the source or destination of each packet, and hence violating these bills. Most security “firewalls” use NAT, so if you use a firewall, you’re in violation.
If you have a home DSL router, or if you use the “Internet Connection Sharing” feature of your favorite operating system product, you’re in violation because these connection sharing technologies use NAT. Most operating system products (including every version of Windows introduced in the last five years, and virtually all versions of Linux) would also apparently be banned, because they support connection sharing via NAT.
And this is just one example of the problems with these bills. Yikes.
UPDATE (6:35 PM): It’s worse than I thought. Similar bills are on the table in South Carolina, Florida, Georgia, Alaska, Tennessee, and Colorado.
UPDATE (March 28, 9:00 AM): Clarified the paragraph above about encrypted email, to eliminate an ambiguity.
UPDATE: I now have a page with information about all of these bills, including the current status in each state.
Brian McWilliams at Wired News reports on the leakage of unreleased security alerts from the government-funded CERT coordination center. Three secret alerts sent to members of CERT’s “good guys” club (known as the Information Security Alliance, or ISA) were reposted onto the open “Full Disclosure” mailing list.
The person who did this may have violated a contractual agreement to keep the information secret. If so, the release can be condemned on that basis.
In any case, this incident teaches us some valuable lessons. First, the idea of releasing vulnerability information only to a large set of “good guys” doesn’t work in practice. What’s to stop a malicious person from joining the club? And remember, a serious bad guy wouldn’t release the information to the public but would exploit it himself, or release it only to his malicious friends.
Ironically, one of the secret alerts that was leaked was little more than an abstract of a paper published recently by Stanford University researchers. Given CERT’s non-profit, public-good mission, it’s hard to see why CERT did not release this report to the public, given that the information on which it was based had already been released (and even discussed on Slashdot).
It’s worth noting that, having set up a system where it is paid to deliver security secrets to the ISA membership, CERT has an economic incentive to manufacture secrets or to increase their perceived value to ISA members by withholding the secrets from the public for longer than necessary. I have no reason to accuse CERT of doing this systematically, but its handling of the Stanford paper does raise questions.
When I teach Information Security, the first lecture is dedicated to the basics of security analysis. And the first rule of security analysis is this: understand your threat model. Experience teaches that if you don’t have a clear threat model – a clear idea of what you are trying to prevent and what technical capabilities your adversaries have – then you won’t be able to think analytically about how to proceed. The threat model is the starting point of any security analysis.
Advocates of DRM (technology that restricts copying and usage) often fail to get their threat model straight. And as Derek Slater observes, this leads to incoherent rhetoric, and incoherent action.
If you’re a copyright owner, you have two threat models to choose from. The first, which I’ll call the Napsterization model, assumes that there are many people, some of them technically skilled, who want to redistribute your work via peer-to-peer networks; and it assumes further that once your content appears on a p2p network, there is no stopping these people from infringing. The second threat model, which I’ll call the casual-copying model, assumes that you are worried about widespread, but small-scale and unorganized, copying among small groups of ordinary consumers.
If you choose the Napsterization threat model, then you fail if even one of your customers can defeat your DRM technology, because that one customer will inject your content into a p2p network and all will be lost. So if this is your model, your DRM technology must be strong enough to stymie even the most clever and determined adversary.
If you choose the casual-copying threat model, then it’s enough for your DRM technology to frustrate most would-be infringers, most of the time. If a few people can defeat your DRM, that’s not the end of the world, because you have chosen not to worry about widespread redistribution of any one infringing copy.
Many DRM advocates make the classic mistake of refusing to choose a threat model. When they complain about the problem, they seem to be using the Napsterization model – they talk about one infringing copy propagating across the world. But when they propose solutions they seem to be solving the casual-copying problem, asking only that the technology keep the majority of customers from ripping content. So naturally the systems they are building don’t solve the problem they complain about.
If you’re a DRM advocate, the first rule of security analysis says that you have to choose a threat model, and stick to it. Either you choose the Napsterization model, and accept that your technology must be utterly bulletproof; or you choose the casual-copying model, and accept that you will not prevent Napsterization. You can’t have it both ways.
According to an article by Jon Healey in Friday’s Los Angeles Times, Rep. Howard Berman may not reintroduce his “peer-to-peer hacking” bill in the new Congress. The bill, you may recall, would authorize copyright owners to launch some types of targeted denial of service attacks against people who are offering infringing files via peer-to-peer systems like Kazaa, Gnutella, or the Web.
Berman had introduced the bill in the last Congress, but it died in committee. He had planned to reintroduce it, but is rethinking that after Hollywood expressed reservations about the bill.
This week, however, Berman said he may not revive the measure. For one thing, copyright holders may not need extra protection to combat file-sharing piracy, he said. And though Berman wasn’t deterred by complaints from consumer advocates, the concerns voiced by Hollywood studios – among the biggest beneficiaries of the bill, given their active anti-piracy efforts online – suggested that Berman was climbing out on a limb by himself.
In particular, Hollywood’s enthusiasm for the bill was dimmed by Berman’s insistence on imposing new liabilities on copyright holders that go too far in attacking pirates. “And if they’re not for it,” Berman asked, “where am I going?”
