Category: national security

Vulnerabilities Equities Process and Threat Modeling

[Update: More at DarkReading, “ The Critical Difference Between Vulnerabilities Equities & Threat Equities.”]

The Vulnerabilities Equities Process (VEP) is how the US Government decides if they’ll disclose a vulnerability to the manufacturer for fixing. The process has come under a great deal of criticism, because it’s never been clear what’s being disclosed, what fraction of vulnerabilities are disclosed, if the process is working, or how anyone without a clearance is supposed to evaluate that beyond “we’re from the government, we’re here to help,” or perhaps “I know people who managed this process, they’re good folks.” Neither of those is satisfactory.

So it’s a very positive step that on Wednesday, White House Cybersecurity Coordinator Rob Joyce published “Improving and Making the Vulnerability Equities Process Transparent is the Right Thing to Do,” along with the process. Schneier says “I am less [pleased]; it looks to me like the same old policy with some new transparency measures — which I’m not sure I trust. The devil is in the details, and we don’t know the details — and it has giant loopholes.”

I have two overall questions, and an observation.

The first question is, was the published policy written when we had commitments to international leadership and being a fair dealer, or was it created or revised with an “America First” agenda?

The second question relates to there being four equities to be considered. These are the “major factors” that senior government officials are supposed to consider in exercising their judgement. But, surprisingly, there’s an “additional” consideration. (“At a high level we consider four major groups of equities: defensive equities; intelligence / law enforcement / operational equities; commercial equities; and international partnership equities. Additionally, ordinary people want to know the systems they use are resilient, safe, and sound.”) Does that imply that those officials are not required to weigh public desire for resilient and safe systems? What does it mean that the “additionally” sentence is not an equity being considered?

Lastly, the observation is that the VEP is all about vulnerabilities, not about flaws or design tradeoffs. From the charter, page 9-10:

The following will not be considered to be part of the vulnerability evaluation process:

  • Misconfiguration or poor configuration of a device that sacrifices security in lieu of availability, ease of use or operational resiliency.
  • Misuse of available device features that enables non-standard operation.
  • Misuse of engineering and configuration tools, techniques and scripts that increase/decrease functionality of the device for possible nefarious operations.
  • Stating/discovering that a device/system has no inherent security features by design.

Threat Modeling is the umbrella term for security engineering to discover and deal with these issues. It’s what I spend my days on, because I see the tremendous effort in dealing with vulnerabilities is paying off, and we see fewer of them in well-engineered systems.

In October, I wrote about the fact we’re getting better at dealing with vulnerabilities, and need to think about design issues. I closed:

In summary, we’re doing a great job at finding and squishing bugs, and that’s opening up new and exciting opportunities to think more deeply about design issues. (Emergent Design Issues)

Here, I’m going to disagree with Bruce, because I think that this disclosure shows us an important detail that we didn’t previously know. Publication exposes it, and lets us talk about it.

So, I’m going to double-down on what I wrote in October, and say that we need the VEP to expand to cover those issues. I’m not going to claim that will be easy, that the current approach will translate, or that they should have waited to handle those before publishing. One obvious place it gets harder is the sources and methods tradeoff. But we need the internet to be a resilient and trustworthy infrastructure. As Bill Gates wrote 15 years ago, we need systems that people “will always be able to rely on, [] to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony.”

We cannot achieve that goal with the VEP being narrowly scoped. It must evolve to deal with the sorts of flaws and design tradeoffs that threat modeling helps us find.

Photo by David Clode on Unsplash.

What's Classified, Doc? (The Clinton Emails and the FBI)

So I have a very specific question about the “classified emails”, and it seems not to be answered by “Statement by FBI Director James B. Comey on the Investigation of Secretary Hillary Clinton’s Use of a Personal E-Mail System .” A few quotes:

From the group of 30,000 e-mails returned to the State Department, 110 e-mails in 52 e-mail chains have been determined by the owning agency to contain classified information at the time they were sent or received. Eight of those chains contained information that was Top Secret at the time they were sent; 36 chains contained Secret information at the time; and eight contained Confidential information, which is the lowest level of classification. Separate from those, about 2,000 additional e-mails were “up-classified” to make them Confidential; the information in those had not been classified at the time the e-mails were sent.


For example, seven e-mail chains concern matters that were classified at the Top Secret/Special Access Program level when they were sent and received. These chains involved Secretary Clinton both sending e-mails about those matters and receiving e-mails from others about the same matters. There is evidence to support a conclusion that any reasonable person in Secretary Clinton’s position, or in the position of those government employees with whom she was corresponding about these matters, should have known that an unclassified system was no place for that conversation.


Separately, it is important to say something about the marking of classified information. Only a very small number of the e-mails containing classified information bore markings indicating the presence of classified information. But even if information is not marked “classified” in an e-mail, participants who know or should know that the subject matter is classified are still obligated to protect it.

I will state that there is information which is both classified and available to the public. For example, the Snowden documents are still classified, and I have friends with clearances who need to leave conversations when they come up. They are, simultaneously, publicly available. There is a legalistic position that such information is only classified. Such rejection of reality is uninteresting to me.

I can read Comey’s statements two ways. One is that Clinton was discussing Snowden documents, which she likely needed to do as Secretary of State. The other is that she was discussing information which was not both public and classified. My assessment of her behavior is dependent on knowing this.

Are facts available to distinguish between these cases?

CIA Reveals Identity of Bin Laden Hunter

In the Atlantic Wire, Uri Friedman writes “Did the CIA Do Enough to Protect Bin Laden’s Hunter?” The angle Friedman chose quickly turns to outrage that John Young of Cryptome, paying close attention, was able to figure out from public statements made by the CIA, what the fellow looks like.

After you’re done being outraged, send thanks to John for calling attention to the issue.

The New York Observer story, “How a White House Flickr Fail Outed Bin Laden Hunter ‘CIA John’” is also quite interesting.

Questions about a Libyan no-fly zone

With the crisis in Japan, attention to the plight of those trying to remove Colonel Kaddafi from power in Libya has waned, but there are still calls, including ones from the Arab League, to impose a no-fly zone. Such a zone would “even the fight” between the rebels and Kaddafi’s forces.

There are strong calls to move quickly, such as “Fiddling While Libya Burns” in the New York Times. But I think there are some important questions that I haven’t heard answered. A no-fly zone is a military intervention in Libya. It involves an act of war against the current government, and however bad that government is, we need to consider the question not of a “no-fly zone” but an “act of war” and its implications.

Some questions I’d love to hear answered include:

  • What if it doesn’t work? Are we willing to put soldiers on the ground to support the rebels?
  • What if it does? Who’s in charge?
  • What if it half works? We imposed a no fly zone in Iraq in 1991, and then invaded 11 years later because we hadn’t thought through the question of what we do to remove the no-fly zone. If the rebels end up with a Kurdistan, how do we finish? Another invasion? Fly walk away and let the Libyan air force to bomb in 2 years?
  • What does success look like? What’s our goal? Do we support offensive operations? If the rebels end up with some aircraft, do we let them fly?

There are other questions, about sovereignty, but I think there’s a good tradeoff to be made between preventing democide and respecting sovereignty. But I haven’t seen a proposal which seems to have considered what happens after a no-fly zone is imposed. Is there one?

The Emergent Chaos of Facebook relationships

This is a fascinating visualization of 10MM Facebook Friends™ as described in Visualizing Friendships by Paul Butler.

A couple of things jump out at me in this emergent look at geography. The first is that Canada is a figment of our imaginations. Sorry to my Canadian friends (at least the anglophones!)

The second is that borders seem to be remarkably effective at inhibiting friendships, especially in Asia.

Facebook-World.png

The TSA’s Approach to Threat Modeling

“I understand people’s frustrations, and what I’ve said to the TSA is that you have to constantly refine and measure whether what we’re doing is the only way to assure the American people’s safety. And you also have to think through are there other ways of doing it that are less intrusive,” Obama said.

“But at this point, TSA in consultation with counterterrorism experts have indicated to me that the procedures that they have been putting in place are the only ones right now that they consider to be effective against the kind of threat that we saw in the Christmas Day bombing.” (“Obama: TSA pat-downs frustrating but necessary“)

I’ve spent the last several years developing tools, techniques, methodologies and processes for software threat modeling. I’ve taught thousands of people more effective ways to threat model. I’ve released tools for threat modeling, and even a game to help people learn to threat model. (I should note here that I am not speaking for my employer, and I’m now focused on other problems at work.) However, while I worked on software threat modeling, not terror threat modeling, the President’s statement concerns me. Normally, he’s a precise speaker, and so when he says “effective against the kind of threat that we saw in the Christmas Day bombing,” I worry.

In particular, the statement betrays a horrific backwards bias. The right question to ask is “will this mitigation protect the system against the attack and predictable improvements?” The answer is obviously “no.” TSA has smart people working there, why are they letting that be the headline question?

The problems are obvious. For example, in a Flyertalk thread, Connie asks: “If drug mules swallow drugs and fly, can’t terrorists swallow explosive devices?” and see also “New threat to travellers from al-Qaeda ‘keister bomb’.”

Half of getting the right answer is asking the right questions. If the question the President is hearing is “what can we do to protect against the threat that we saw in the Christmas day bombing (attempt)” then there are three possible interpretations. First is that the right question is being asked at a technical level, and the wrong question is being asked at the top. Second, the wrong questions are being asked up and down the line. Third is that the wrong question is being asked at the top, but it’s the right question for a TSA Administrator who wants to be able to testify before Congress that “everything possible was done.”

I’ve said before and I’ll say again, there are lots of possible approaches to threat modeling, and they all involve tradeoffs. I’ve commented that much of the problem is the unmeetable demands TSA labors under, and suggested fixes. If TSA is trading planned responses to Congress for effective security, I think Congress ought to be asking better questions. I’ll suggest “how do you model future threats?” as an excellent place to start.

Continuing on from there, an effective systematic approach would involve diagramming the air transport system, and ensuring that everyone and everything who gets to the plane without being authorized to be on the flight deck goes through reasonable and minimal searches under the Constitution, which are used solely for flight security. Right now, there’s discrepancies in catering and other servicing of the planes, there’s issues with cargo screening, etc.

These issues are getting exposed by the red teaming which happens, but that doesn’t lead to a systematic set of balanced defenses.

As long as the President is asking “Is this effective against the kind of threat that we saw in the Christmas Day bombing?” we’ll know that the right threat models aren’t making it to the top.

Wikileaks

Friday night an arrest warrant went out, and was then rescinded, for Wikileaks founder Julian Assange. He commented “We were warned to expect “dirty tricks”. Now we have the first one.” Even the New York Times was forced to call it “strange.”

I think that was the wrong warning. Wikileaks is poking at a very dangerous system. We went to war with Iraq, claiming it had links to Al Qaida and chemical weapons programs. (I think there were good reasons for both Iraqi citizens and Western democracies to want a well planned and executed regime change in Iraq, and even better reasons to expect that attempts to do so would descend into chaos. But that’s besides the point.) Since then, we have publicly announced that we have death squads targeting US citizens. Does Wikileaks expect any less?

The American system of classifying documents is seriously flawed. That’s been the conclusion of every blue ribbon panel that studies it. Transparency and accountability are key tools that we the people use to constrain the power of government. But people in power never like transparency. They don’t like oversight and second-guessing. So over-classification is a natural outcome. Insofar as leaks help to constrain that, they’re useful to us, the governed. To the extent that leaks force a conversation about “why was this document classified,” they’re useful.

Now, leaking the names of informers is clearly problematic. It seems that, like many news organizations, Wikileaks asked the Pentagon for advice on redaction. They were rebuffed.

But that’s not the point of this post. The first point of this post is to say that the Leviathan is an angry and mean son of a bitch that’s now going to attack Wikileaks as hard as it can. If discrediting works, great. If not, expect escalation. Whatever their personal failings may or may not be, more transparency and accountability in government is a worthy goal, and we should support that goal. We should support that goal even as we can see flaws in Wikileaks. And despite their flaws, Wikileaks is making more transparency in less comfortable areas than anyone else.

The right response to the Afghan war diary would be for the Pentagon and for each of our allies to review what they have classified and why, and release more of it. Little of what was released was really surprising, and much of it should have been officially released with minor redaction. But instead of that review, we see the Leviathan lashing out at Wikileaks.

To the extent that Wikileaks pushes governments to become more transparent, we all benefit. If But more transparency not the reaction we’re seeing, and to distract us from that is the dirtiest trick so far.

If you think government has too much power, you should support Wikileaks. If you think that America’s overseas entanglements are hurting America or the world, you should support Wikileaks. If you think military adventurism is hurting the world, you should support Wikileaks. Because whatever Wikileak’s faults, their goals are important ones.

Which brings us to the second point of this post, which is to remind you, when you read negative stories about Wikileaks, ask yourself “who benefits?” The answer isn’t going to be “you and me.”

Transparent Lies about Body Scanners

Body scan.png

In “Feds Save Thousands of Body Scan Images,” EPIC reports:

In an open government lawsuit against the United States Marshals Service, EPIC has obtained more than one hundred images of undressed individuals entering federal courthouses. The images, which are routinely captured by the federal agency, prove that body scanning devices store and record images of individuals stripped naked. The 100 images are a small sample of more than 35,000 at issue in the EPIC lawsuit.

Previously, the government has assured us the images won’t be saved. Joshua Marpet pointed out that the “Nation’s Perverts Endorse Full-Body Airport Scanners.” Jeremiah Grossman asked if this is a violation of 18 U.S.C. § 2251.

The real trouble is that the TSA is funding the creation of these machines and forcing them on us. The companies who make them will push their chaotic deployment elsewhere. The machines are being built with recording and transmission capabilities. Chaos is going to emerge, our privacy will suffer, and it is the fault of the leaderless TSA.

The TSA has lied, consistently and persistently about the capabilities, effectiveness and health impacts of these machines. They have released scary misleading pictures, such as the one on the right. 99.99% of people walking through the machines do not have a gun strapped to their thigh. All the perverts watching the machines will see is your private parts.

TSA has a mission which can’t succeed. Anything it might do won’t prevent the destruction of aircraft. The measures they’ve talked their way into are a one-way street in today’s ‘admit nothing’ Washington culture. The head of the agency is a no-promotion position, made less attractive by the Obama administration’s ‘no revolving door’ policies.

Meanwhile, we suffer through the indignities.

Dear England, may we borrow Mr. Cameron for a bit?

Back when I commented on David Cameron apologizing for Bloody Sunday, someone said “It’s important to remember that it’s much easier to make magnanimous apologise about the behaviour of government agents when none of those responsible are still in their jobs.” Which was fine, but now Mr. Cameron is setting up an investigation into torture by UK security services. (“
Britain Pledges Inquiry Into Torture.”

And yes, it’s certainly more fun to investigate the opposition, but…I’d really like to bring Mr. Cameron over here for a little while. Some investigations would do us, and our fight against al Qaeda, a great deal of good.