Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

There are definitely unknowns, and some potential risk to business, if net neutrality fails. But to begin to quantify those risks, it’s important to realize that the net neutrality debate encompasses several aspects.

One aspect is whether internet providers should be able to slow or block content in an anti-competitive way. Unless you happen to be an internet provider, there seems to be little debate that preserving that aspect of net neutrality is desirable. The real debate is regarding whether that aspect should be regulated, and if so, how to do so effectively.

Another aspect of net neutrality, of much greater relevance to the typical enterprise, is quality of service. Some questions to consider:

  1. For example, should the internet provider be able to slow peer-to-peer (P2P) or gaming traffic in order to maintain what it believes to be a fair allocation of bandwidth?
  2. If the people playing the game are paying the same monthly fees as the people who are just surfing the web, or watching a video, isn’t it their right that their application can function optimally?
  3. Who decides what fair allocation of bandwidth is, anyway – the provider, the application developer, the companies that build networking equipment?
  4. How do you implement bandwidth allocation guarantees and limits (it’s more complicated than it sounds)?

The answer to the first question may partly depend on whether you’re a gamer, or perhaps more to the point, whether your business sells or hosts P2P games. However – from that perspective, the ultimate goal is obvious. People who want to sell or play P2P games are going to have to pay for whatever share of bandwidth is necessary to accomplish that.

Take another example – businesses that do lots of two-way video: they are going to be happy to pay for a service level agreement that protects their business needs, if those needs include guaranteed high-bandwidth, low-latency internet service. If their business is disrupted because someone else in that same geographic area, who happens to be paying less for service, is downloading tons of porn, how is that fair or desirable? The failure of this aspect of net neutrality is inevitable.

Thus, the opportunity here is for entrepreneurs to create the equipment and network protocols that will allow net neutrality to be seamlessly implemented. For network equipment servicing an area with 1000s of homes, differentiating that many different service levels is beyond the current state of the art, at least in terms of widely deployed equipment.

This brings us back to the original question: what are the risks? Internet providers may choose to undermine net neutrality as a business practice with or without the blessing of the law. But if they do so without the support of technology, the interim period will see choppy service and inefficient pricing.

Permalink | Comments (0)

Cloud developers

August 23, 2010

Looking for software developers to help you transition your IT projects into the cloud? The main thing to keep in mind about cloud computing is that it’s still early days. The typical experienced web application developer will eventually figure things out, but the organization that hires her needs to realize that hardly anybody has this particular combination of experience yet.

For example, with Amazon’s EC2 service, she’ll need to create and manage her own machine instances, understand the difference between blob and relational storage architectures, manage data backups, deal with load balancing, and consider the cost model and her budget. Or she’ll need to coordinate with her IT operations people to do some or all of that stuff (and it’ll all be new to them, too). But has she ever had to work that closely with IT operations people before? And since the IT people won’t own the machines (Amazon does), do they even want to support this project?

All of those considerations have software architecture implications as well, so it’s not like she can just merrily write code while the IT people go off and design the system. To continue the EC2 example, it has its own message passing and storage interfaces, so much of her code is going to be purpose built. And new code means bugs – has she developed the debugging skills necessary to triage an offsite system in a timely manner? The latter can be a real concern under a deadline, since many developers (and not just web devs) have never really been forced to learn how to debug.

Microsoft’s Azure cloud service presents similar challenges: understanding the storage options, message passing, debugging, and cost model, figuring out the split of responsibilities between operations and dev, and then architecting the application accordingly.

None of these tasks is insurmountable, and all of the cloud vendors have case studies showing customers of various sizes using their services at scale. Although, it bears mentioning that those case study customers may have had invaluable internal assistance from the vendor.

The one additional piece of guidance I would give is to not hire that brilliant developer from outside, then expect her to ramp-up on cloud computing, the existing service/technology, and the internal politics of the company at the same time. Instead, task the most senior internal developer with leading the transition, and fill in staff to support him or her as needed.

Permalink | Comments (0)

Link here.

One interesting note from the key findings summary is that browser-based exploits targeting Microsoft platforms are down 50% from the XP days. 3rd party browsers are taking the hits now.

Permalink | Comments (0)

Full story is here.

Summary is that Microsoft issued a security bulletin last week on a remote code execution vulnerability in the way the Windows shell parses LNK shortcut files. However, for six weeks before that, a virus (called Stuxnet) had been circulating which attacked control (SCADA, or Supervisory Control and Data Acquisition) systems manufactured by Siemens. The scary part is that SCADA systems are commonly used to run critical infrastructure such as power plants (although anyone who remembers the Blaster worm already knew that Windows is used in critical infrastructure).

A detailed technical analysis of Stuxnet is here.

Making the situation even more interesting is that the virus includes a rootkit driver binary which has been digitally signed using an apparently compromised code signing key, issued by VeriSign to a company called Realtek.

Still, there are three potential mitigations that could have protected a well locked-down system, even prior to the installation of the above security patch:

  1. Gee, don’t stick the unknown USB key into your C&C terminal in the first place
  2. Use low-privileged accounts. This would likely have prevented the rootkit driver from being installed.
  3. Don’t trust 3rd party root certificates. This is configurable in Windows (although the LNK code execution still would have run).
Permalink | Comments (0)

There’s an interesting trend happening here. On one hand, cloud computing allows organizations to rapidly scale up and scale down. This not only allows companies to better handle peak processing loads, it also allows entrepreneurs to more cheaply take a chance on new ventures, such as social networking sites, which may or may not reach critical mass and be successful.

At the same time, mobile devices are becoming more powerful and fun to use.

As a result of these trends, the new mobile devices coming into the market will be lighter weight and more niche targeted. The Microsoft KIN was actually an interesting example of this, even though it was cancelled. It offered data storage in the cloud and was targeted at teens. So there are the scalability and social networking aspects right there. We’re going to see more of that kind of specialization: the opportunity for marrying social networking with mobile computing has not yet been realized, to say the least.

The increased processing power of the newer mobile devices will be dedicated to complex graphics, interactive games, and streaming video. Again, while the scale up/scale down feature of cloud computing will be harnessed by start-ups to create new social networks, users will interact with those networks by way of sexy, powerful, custom applications running on their next-generation mobile devices.

Permalink | Comments (0)

Interesting report here from Microsoft Research entitled “Concurrency at Microsoft – An Exploratory Survey”. Somewhat surprising: the respondents to the internal survey were fairly senior, with a mean of roughly seven years at the company. Not so surprising conclusion despite that: even experienced developers are challenged by concurrency bugs, and developer tools haven’t really been keeping up.

That report is from two years ago, though, and two years does make a difference. One notable new concurrency debugging tool: Corensic. In summary, Corensic’s main product, Jinx, installs as a hypervisor which attempts to force concurrency bugs to occur. That addresses one of the big challenges with that type of bugs: if they happen infrequently, and only in production, identifying and fixing them can be a real pain. By forcing them to happen, and allowing that to occur in a development environment, significant cost savings can be achieved.

What’s the security angle here? Well, there are a couple. First, any bug, concurrency or otherwise, becomes a “security bug” under certain conditions. For example, a concurrency bug which results in memory corruption may be remotely exploitable. Similarly, if a security feature (e.g., an authentication service) is implemented as multi-threaded, and it has a concurrency bug which renders it unavailable, that’s a problem.

But, more broadly, security can be thought of as risk management. To software companies, bugs are a risk because they drive up development cost. They also pose a reputation risk. So get the right tools and get ‘em fixed!

Permalink | Comments (0)

Third Defense is a Seattle-based company which provides cool web-based security compliance tools. I just did a trial run of their Risk Communicator, which allows you to document, categorize, and prioritize business risks in a convenient but detailed way.

The product trial is free and can be accessed via the homepage link above. Notably, there’s no sign-up delay in getting started with the trial: simply enter your contact info and a password and it drops you into the web application dashboard.

I was curious how useful a compliance tool would be to a company such as JW Secure, since while the software industry in general isn’t traditionally thought of as “regulated,” many of our customers certainly are. My first step was to select one of the existing sample assessments and to start adding and deleting risks from it as appropriate.

One of the best features of Risk Communicator is the built-in repository of risks, each with a detail description, that you can choose from to get started. Given the inherent complexity of security and the many types of risks that daily confront businesses of all sizes, there are guaranteed to many items in the canned list that will catch your attention. For example, change control, mobile device encryption, security strategy, single-factor authentication, etc.

Of course, any business is subject to a laundry list of low-level risks. The purpose of this tool isn’t so much to document every one of them. Rather, it’s to focus on those that are current hot items, and especially those that are motivating a budget or staffing request.

Once a list of risks has been made, Risk Communicator places them on a heat map. This is definitely another cool feature, since it does two things at a glance: first, tell you where you need to be spending more, and second, show you which risks may be weighted incorrectly.

Overall, there are two key points to be made about IT risk management. First, the problem is always broader than just IT: this is the whole business we’re talking about. However, few companies outside of the traditional “regulated” industries (banking, healthcare, government) bother to document or quantify their risks to any useful level of detail. And those that do use static tools such as a spreadsheet. And yet, tactically, using an interactive risk prioritization tool can be valuable to any company, because it keeps you focused on the right risks, make smart investments in IT and elsewhere, and spend your time wisely.

The second key point is that the goal isn’t to avoid risk. Indeed, risk avoidance is itself a dangerous risk , and can be among the worst mistakes a company can make. Instead, the goal is to understand risk, attempt to quantify it, and where possible, mitigate it. It is said that the best entrepreneurs aren’t so much risk takers as they are “risk understanders”. Third Defense has an interesting tool set for those who want to better understand risk.

Permalink | Comments (0)

Good post on DefCon

August 9, 2010

Smart building trends

August 2, 2010

An interesting trend in smart buildings is happening in the intersection of physical and logical security.

The first step was when companies started combining physical and logical access into a single credential. For example, a smart card (basically, a credit card with a computer chip embedded in it) can have an RFID antenna built in with the employee’s picture printed on the front. The RFID is used by the employee to get through the front door of the building, and the smart chip is used to logon to the network when the employee sits down at his or her desk. While either credential – RFID for physical access and smart card for logical access – can be expensive to deploy on its own, by deploying them together, some costs can be shared.

The second step is in making more intelligent decisions based on the new data available. For example, building access data can be used by corporate security to determine who is in the building at any given time. If a given individual isn’t in the building, should the network server let him or her login and access sensitive files? Or does the fact that someone is trying to login without first scanning their front-door badge imply that it’s actually a hacker who has compromised the account and is connecting remotely?

As an aside, it’s worth noting that, historically, physical security and IT are almost always separate teams at a typical medium-sized to large company. Again, that can be an opportunity for cost-sharing as smart building technologies pull the two together. But it also poses obstacles for adapting these technologies, since there can be political conflicts, etc.

Permalink | Comments (0)

Read a cool article entitled Preparing Computer Science Students for the Robotics Revolution in this month’s Communications of the ACM (download isn’t free, unfortunately). The gist is that the author believes that demand for basic robotics training and experience – specifically on the software side – may be poised for rapid growth.

For example, militaries all over the world are major consumers of robotics, including for applications that involve situations too dangerous for humans, such as clearing road side bombs. The audio and visual sensing (not to mention the motor/piloting) requirements of those applications can be heavily computational, drawing from core CS areas such as Artificial Intelligence, and hence require significant programming experience to bring them from the research realm into production-ready platforms.

Other links:

  • The Create educational platform from iRobot (basically, everything but the vacuum ;)). Current educational researchers are apparently physically attaching a netbook or small laptop to these, in order to have WiFi and a camera, until a better solution comes along.
  • 2007 Scientific American article on robotics by Bill Gates
  • Player/Stage robotics app dev platform
  • Robot Operating System project
  • Tekkotsu educational robotics platform
  • Microsoft Robotics Studio – not mentioned in the article above, but looks to be quite full featured and actively supported and maintained
  • US FIRST – a high school robotics competition, which, while fun, is way too focused on building hardware in professional machine shops and not nearly focused enough on writing control software
Permalink | Comments (0)
Newer Posts »