Tuesday, September 18, 2012

The know-nothings of cybersecurity

Cybersecurity is infested with “know-nothings”: people who know nothing technical but who nonetheless claim to be experts. That’s because you don’t really need technical expertise to say things like “you deserve to be hacked if you spend less on cybersecurity than on coffee”.

One of the more irritating know-nothings is Stewart Baker with his blog “Skating on Stilts”. He claims to have 20 years of experience in cybersecurity, although none of it involved actual computers. He has never configured a firewall. He’s never injected SQL into a website.

Know-nothings base their arguments on sweeping generalizations that are hard to disprove. For example, in a recent blogpost, he argues that law enforcement can track down hackers. He bases his argument on the claim “No one can function in cyberspace without dropping bits of identifying data here and there”.

That’s absolutely false. Sure, it’s easy to make a mistake, so even experts are sometimes caught. But it’s wrong to extrapolate that they will always make a mistake, and that it’s always possible to track them back.

Sure, had Osama bin Laden tried to hide behind Tor, our nation-state has enough resources to have found him. Sabu was caught because he slipped up using Tor (logged onto IRC forgetting to proxy). The Iranian Comodo hacker forgot to send all his connections through a proxy. So hiding isn't always easy.

But neither is it always hard. Go to a pawn shop in one city and buy a used laptop with cash wearing a disguise. Go to a bar in another city wearing another disguise. Use the free WiFi, not of the bar, but the business next to it. Establish a Tor tunnel from a VM. Through that tunnel, hop through a chain of open proxies. After the attack, wipe the hard drive. Nobody will catch you, not even with nation-state resources.

Note the above paragraph contains multiple defenses. For example, a common mistake is for people to download a hostile PDF which uses scripting to open connections that bypass Tor, thus revealing identity. But, if you’re in a VM running through a Tor proxy on the host, such accidents are automatically blocked.

Know-nothings like Stewart Baker base his claims on the Dunning-Krueger effect. He doesn’t know how disguise his actions in cyberspace, and it appears magic to him, so he's confident the problem is too difficult even for experts. It’s not. It’s really easy.

Many find Stewart Baker’s blogposts insightful. Well, of course: the more divorced from reality he is, the more he can make things up, the more insightful he can become.

I disagree with my fellow experts on a regular basis. But despite these disagreements, they are worth listening to, because they have expertise. And experience. But know-nothings aren’t worth listening to, even if you agree with them. As a community, we need to stop giving credence to these people.

Update: Another quote from Stewart Baker's post is "We will never defend our way out of the current cybersecurity crisis". That justification is wrong.

Defense is a tradeoff, and has decreasing marginal returns. That means perfect defense is impossible, because at some point, the marginal costs exceed the marginal benefits.

But the same applies to government regulation and law enforcement, Stewart Baker's solutions to the "crisis". Already, the U.S. government is more of a threat to you than Chinese hackers, and Stewart Baker wants to make that worse. "Crisis" is a term coined by lobbyists like Stewart Baker in order to frighten you into collectivization of the Internet. There is no crisis: for all the damage caused by Chinese hackers over the Internet, the benefits of the Internet are far greater. The government regulations Baker proposes destroys those benefits.

Update: On Twitter, Richard Bejtlich tells me that Baker is more informed than I think, especially about Chinese hackers, it's just that he can't talk about secrets. That's bollox. Double-secret probation expertise doesn't count.

For example, a CIA analyst named Tom Donahue gave a story at a conference about a hacker who had broken into a (non-U.S.) power grid then extorted money, but offered no specifics. Well, I'm pretty sure I know the origin of that story. In the story I heard, further investigation revealed it was actually an employee of the power company who had only claimed to be a hacker in order to cover his tracks.

Another example is the Witty Worm. Many in government believe that it targeted the U.S. military, because it was seeded from military computers. This is false. It wasn't "seeded" (as Wikipedia claims) from known systems, but was launched from only a single computer. This can be proven by constructing a graph of who-infected-whom from the slack area of memory. The unusual spread is explained by the fact these were promiscuous mode systems monitoring 10% of the Internet address space (their own -- the military owns a lot). When know-nothings in government are "informed" of things, they don't have the wit to interpret them. Nobody I talked to in the government understood what "slack" was, and hence, could not understand my rock-solid proof that Witty wasn't seeded.

My point here is that double-secret information like this is prone to errors. It's often a product of their overly paranoid view of the world. But we cannot challenge it, because it's secret. Baker may know important facts about threats from China, or he may know only paranoid rumors he doesn't have the skill to interpret. We can't trust him unless he can demonstrate a reason to trust him, which he hasn't done yet.

You know I'm an expert not because I claim to be, but because you can run my products, read my code, read my blog, and so on. You can challenge me on it. That's being an expert.

Update: My blogpost here is an ad hominem attack. I point this out because I normally hate ad hominem attacks. You should evaluate an argument on its merits, and not by who made it.

But his piece is reverse-hominem [is that a thing?]. He says, to the effect, "experts say attribution is difficult, but I think they are wrong". He's not giving evidence why other experts are wrong. He is asking us to trust his expertise as being greater than the other experts. This opens him up to ad hominem attacks. I know experts, experts are friends of mine, and you sir are no expert. You can't wave your hand and dismiss the real experts.

In addition, I counter with evidence. I describe in technical detail how easy it is to make attacks non-attributable. I may be wrong, but I've constructed  it so that you can attack my argument without having to attack me.


Steve Syfuhs said...

Where do you figure these people fit in on the scale of experts to charlatans? Somewhere in the middle, or dangerously close to causing major problems?

Robert Graham said...

I would call charlatans those people who claim expertise they don't really have, like claiming to have configured a firewall when they haven't.

The thing about know-nothings like Stewart Baker is that he hasn't claimed to have configured a firewall, but claims expertise nonetheless.

Anonymous said...

For a long time, thought I was the only one seeing this "phenomenon".

Imagine working in a company who employs people without practical software knowledge (didn't even know what version control is) while these people actually gives briefings and presentations to actual software programmers, designers etc on software frameworks, best practices, design processes, software configuration, security, safety etc.

This is a mad word.

Anonymous said...

To me, the worst "know nothing" in computer security tend to be the cryptographs. They seem to consider that because they came up with a cipher, they know everything about computer security when in fact most of them would be incapable of explaining what a buffer overflow is.

The "problem" is that they tend to have what seem to be valid credentials (PhD, publications, etc...) so few people call them out.

Anonymous said...

"But his piece is reverse-hominem [is that a thing?]."

Could be 'appeal-to-[self-]authority' leading to 'poisoning the well'

Anonymous said...

Could you explain the "slack area of memory" thing?

I always heard the term as referring to non-zeroed areas of memory that sometimes hold interesting previous data, but unless you had access to the machines involved I don't see how you can reconstruct the infection graph.

Robert Graham said...

Re: the "slack area of memory thing"

That's exactly what I mean. Witty sent packets of variable length. If infected with a 700 byte packet, it might copy itself and send out an 800 byte packet -- that's 100 bytes of slack memory copied into the outbound packets.

It's not a perfect chain. Sometimes a system infected with a longer packet sends out shorter ones, thus removing one or more hops in the visible chain. But enough of the chain was visible to prove beyond a reasonable doubt that the infection spread normally and was NOT the result of a pre-seeded hit-list.

David Warner said...

You can also access any blocked site if you want. For that you just need to click on this link if you are willing to open any blocked site.
access via proxy