Friday, April 11, 2008

Microsoft end to end rebuttle, trust me

From: "Establishing_End_to_End_Trust.pdf"
The word transitive is not used once though hinted at. Let me preface the below rant with the fact that I don't have the answer(s). As pointed out in the article on Page 7: "As noted below, there are historic, economic, social, and political forces that suggest a well-constructed regime is better than none at all, especially in light of the challenges we face on the Internet and the desire of people to be more secure in their daily lives"... and "We must create an environment where reasonable and effective trust decisions can be made." Agreed.

However: ( Christ their lingo could do with some updating and accuracy though... read on... !)

Apparently sloppy code, the pace of technology, a bloated, incestuous, self-serving IT industry lacking in basic engineering discipline (around tolerances and expected usage) coupled with complexity, default permit, cost of massive parallel attacks, jurisdictional immunity.. yadda, yadda has *nothing* to do with our current predicament.... it's *all* about end-to-end trust... hmm subjective or objective guys? I'm hoping end-to-end includes dependencies relating from transitive trust...

Apparently though "Experience shows that most cybercriminal schemes are successful because people, machines, software, and data are not well authenticated and this fact, combined with the lack of auditing and traceability, means that criminals will neither be deterred at the outset nor held accountable after the fact. Thus the answer must lie in better authentication that allows a fundamentally more trustworthy Internet and audit that introduces real accountability"

Page 4 "But staying the current course will not be sufficient; the real issue is that the current strategy does not address effectively the most important issue: a globally connected, anonymous, untraceable Internet with rich targets is a magnet for criminal activity—criminal activity that is undeterred due to a lack of accountability.".... hmmmm yeah but what about

Geer:"Everything about digital security
has time constants that are three or-
ders of magnitude different from the
time constants of physical security:
break into my computer in 500 mil-
liseconds but into my house in 5 to
10 minutes."

Geer:"Human-scale time and rate con-
stants underlie the law enforcement
model of security. The crime happens
and the wheels of detection, analysis,
pursuit, apprehension, jurisprudence,
and, perhaps, penal servitude then,
paraphrasing Longfellow, “grind
slowly, yet they grind exceeding
fine.” In other words, law enforce-
ment generally has all the time in
the world, and its opponent, the
criminal, thus must commit the
perfect crime to cleanly profit from
that crime."

Geer:"If the physics of digital space and
digital time mean we ally ourselves
with the intelligence world view
and not the law enforcement world
view, we have to ask ourselves two
things: is the price of digital sur-
veillance a bearable price for the
benefit of digital safety? And, if so,
what is the unit of digital surveil-
lance? What do we watch—people
or bits?"

Back to Microsoft:Establishing_End_to_End_Trust:..

Page 8: Mis-use of the word hacker "external hackers with access to their systems, in large part because a hacker ".. will they ever learn or at least work harder for a little respect? Apparently "device-to-device authentication" will foil the "hackers"... and scripting attacks facilitates "thus making anyone an “expert” hacker; and the amount of data that can be stolen is limited only by bandwidth. "(Page 10)

Page 8: "robust management tools" are predicated on trusted management tools and one would hope them to be robust to begin with :)

Page 8: "depending on the threat level" , define threat and what metric is employed to address the level?

Page 8: "flooding and probing attacks"... is probing an attack?

Page 8: "Autonomous defense would be possible if, for example, packets likely to be malicious (because they are reliably identified as coming from a dangerous source) could be dropped shortly after entering the network or at a computer’s interface to the network." erm, a self-defending network by virtue of a firewall?

Page 8: "Even the intractable insider threat could be more successfully addressed because better audit tools would make it easier to identify suspicious access patterns for employees in a timely manner." ok so this is anomaly detection now via trust?

Page 8: "The authentication of identity, device (and its state), software, and data could be used to generate trust measurements that could also be used to reduce risk to the ecosystem." don't get me started although 'trusting the state' is a good concept, trust measurements spins me out considering 'trust' is somewhat boolean or a nominal measurement :)

Page 8: Apparently "one of the reasons that large enterprises manage risk relatively well is that they have dedicated IT staff implementing risk management programs." hmmmmm.... so throw some people at the issue and get the job done 'relatively' well :)

Page 8: Here comes the NAP pitch "Yet there is no chief information officer for the public, and no mechanism for protecting the broader Internet by taking best practices from enterprises, such as Network Access Protection, and applying those practices to the public." What about FIRST, NSP-SEC, Arbor, Internet Motion Sensor, Network Telescopes and ISPs in general? Ummm... NIST? SANS? Sorry guys Net Neutraliy vs extreme ISP Hostility with NAP?.. the oul' internet would break methinks... erm... we don't all conform on the endpoints ladies and gents, good luck on that one... the internet is a superorganism that is evolving its immune system. Surveillance and telemetry is the first step.

Page 8: We can fix it all "With better authentication and audit, dynamic trust decisions could be made (based upon, for example, the state of a machine) and Internet service providers could use network access controls to limit the activities of “untrustworthy” machines until they were updated."

So Internet wide NAC/NAP is the answer, don't let the "bad guys" or "bad nodes" on in the first place and kick em' off if they're bad(tm)

Page 9: Hmm, "Second, absent the ability to identify and prove the source of misconduct, there can be no effective deterrent—no effective law enforcement response to cybercrime and no meaningful political response to address international issues relating to cyberabuse." true.

Page 10: "Because all software operates in an environment defined by hardware, it is critical to root trust in hardware." hmmmmmm "If machines did a machine-to-machine-based authentication rooted in TPM keys before allowing a network connection, then one could arguably exclude unapproved machines from accessing network resources. Using new cryptographic techniques, this can be done in privacy-compliant ways." hmmmm cold boot?

Page 14 states: "As the firewall continues to diminish in importance, it is important to focus on protecting data as opposed to simply protecting the machines that store such data." Not sure I'd use this phrase rather that the focus from all sides is moving up the stack, but by no means obviating the need for firewalling.

Page 15: "standardizing audit data formats and tools".. erm syslog?

Page 15: "one can call or send mail to millions of victims, but the time and cost makes this infeasible. " ye think? yeah SPAM is really on the decline, NOT! Micrsofts Penny Black project made sense though...

Ok at this point I give up or this will get too long..... the whole section on F.Audit Page 14/15 is purile and so far behind the times it's scary... they need to look outside of their Microsoft shaped box in Redmond.

No mention of the network.

As Ranum states on "The Internet applications stack depends heavily on ARP and DNS and those protocols depend on a tamper-free network. It’s just silly to think your end-point can secure itself if the network fabric is untrustworthy! If the network is untrustworthy, it’s “game over, man!” as Private Hudson would say."

At the end of the piece a question is posed "can we maintain a globally connected, anonymous, untraceable Internet and be dependent on devices that run arbitrary code of unknown provenance?"... Apparently if the answer is no, then " we need to create a more authenticated and audited Internet environment"... DOH!

"it is important to address all of the complicated social, political, economic, and technical issues raised to ensure we end up with the Internet we want, one which empowers individuals and businesses, and at the same time protects the social values we cherish. " Agreed but which *we* is that? And do we want backwards compatibility?


Gabriele Biondo said...

I think the Microsoft article is pointing in the wrong direction, meaning that:
a) misses the point - security is NOT only a matter of tooling. There's a strong need for strategy and culture. Nowadays business models and society made Internet a non-authoritative structure, thus diminishing the overall security
b) NO RATIONALES AT ALL - I have a strong background in Math, and usually, if something is not proven, I perceive it like a fairy tale... which is what this article looks like.
c) the MS strategy has a strong assumption: everybody accepts it, share it, buys in it, incorporates it in their own products and so on.

So, from my standpoint, this article is based on weak hypothesis and has an inconsistent thesis.

As a point of interest for the reader - I had a lot of fun while reading (pg 3) ...Despite these advancements, critics complained that Microsoft lacked a comprehensive, holistic "security strategy". This is not completely fair. Guys - the language is not an opinion: comprehensive and holistic are 'all-or-nothing' adjectives: something cannot be partially-holistic or partially-comprehensive; it's an oxymoron!

Chris Quirke said...

"Experience shows that most cybercriminal schemes are successful because people, machines, software, and data are not well authenticated"

Nonsense, in that most malware attacks happen before any sort of authentication takes place.

Malware doesn't run because the wrong person got to log into the PC. It happens because of a mis-match between percieved and actual consequences, i.e. the low risk you thought you took, was in fact a higher risk.

The "you" in that sentence may be the human user, the system itself (clickless attacks), but most often is a combination; system mi-represents risk to user, user initiates higher risk than expected.

Authentication is irrelevant in this equation.