Tuesday, March 04, 2014

RSAC Keynote: support your local sherif

RSA Security chairman Art Coviello opened his company's conference with a discussion of "BSAFE backdoor" controversy [video]. Rather than defending his company's mistakes in the affair, he seemed to justify them with a four-point plan calling for greater powers for law enforcement.

#1 "Renounce the use of cyber-weapons, and the use of the Internet for waging war"

This is sure to be a crowd-pleaser, touching upon the "0-day" debate in our community, but it's wholly without substance.

We already use the Internet for waging war, whether it's servicemen sending emails back home, or using Internet connectivity to control drones on the battlefield. Internet is communications, and communications is essential to warfare. We no longer have the ability to communicate without using the Internet. In modern warfare, all sides use the Internet for waging war.

Of course, that's not precisely what he meant (I think). Instead, he probably refers to attacking each other through cyberspace. But it's the same thing. If we are raining down terror from Internet-controlled drones, then that control mechanism, the Internet, becomes fair game. We can't tell the victims of drone attacks that while shooting back at the drones is allowed by the rules of war, that hacking or viruses are somehow morally reprehensible and off limits. It's the same with outer space: our use of GPS for precision-guided missiles and satellite communications means waging war in space, even though no military action has yet taken place in space. We are just lucky we haven't attacked somebody yet with the ability to put ball-bearings in low-orbit taking out our GPS system -- and the ability to launch anything into space for a decade.

In short, his idea "renouncing the use of the Internet for waging war" demonstrates a total lack of understanding of the issue.

He's more on target with "cyber-weapons". Our community has a legitimate debate over "military 0days", and how the military's purchase of 0days outbids bug bounties that serve to protect us by closing vulnerabilities.

However, the blanket statement about "cyber-weapons" ignores this complex issue, and treads bad ground. The argument seems tailor-made to appeal to the EFF crowd, but these people don't renounce cyber-weapons as a principle. Instead, they defend their use, such as claiming Anonymous hackers were justified in using LOIC (a DDoS tool) against PayPal.

There is also the issue that virtually all "weapons" in cyberspace are dual-use: used by defenders as well as attackers. To outsiders, Nmap and Metasploit seem like evil tools with no legitimate purposes, but in fact they are most heavily used by defenders in protecting their networks against hackers. Again, the EFF hotly defends the use of such tools. That's why the debate in our community centers on "0days": it's the one tool that doesn't seem to be particularly useful to defenders.

Then there is the issue about whether code is speech (again, something the EFF defends). Virtually all "cyber-weapons" are open-source (except for the 0-days). Restricting them becomes an intolerable offense to basic rights.

In short, what Coviello is talking about is the same logic used by law enforcement in the 1990s, when encryption was classified as a munition and tightly controlled. The consequence was that it left good people open to attack. While this point looks initially like a sop to the anti-war crowd, it is in fact an attack on our liberties.

#2 "Cooperate internationally in the investigation, apprehension, and prosecution of cyber-criminals"

Our job in the cybersec community is to defend computers against hackers. That doesn't automatically make us tools of the state for prosecuting cyber-criminals.

For one thing, the definition of "cyber-criminal" is overly broad. Unlocking your iPhone makes you a cybercriminal. Incrementing a number in a URL makes you a cybercriminal. Spoofing your MAC address makes you a cybercriminal. Posting to Facebook can make you a cybercriminal.

World wide, most countries are oppressive regimes. Certainly we aren't going to aid law enforcement internationally and help those regimes. Even in the mostly "free" country of the United States, law enforcement has taken on the appearance of a police state. The U.S. jails over 1% of it's population, which is 10 times more than any other free country. Half of all young black men are in the system, such as in jail or on parole. Even whites are more likely to be in jail in the United States than in Europe.

Yes, we in this community work on the side of law enforcement when it comes to real crimes like stealing money or murder. For a broad range of other things, we oppose law enforcement. Indeed, many of us live in constant fear that law enforcement will come up with a novel interpretation of the law in order deem previous common whitehat activities as cybercrime.

As in his first principle, Coviello reveals that he has gone back on the principles of RSA from the 1990 and is now taking the side of law enforcement against citizens. His comments seem to indicate that he'd find mandatory key escrow a good feature of encryption.

#3 "Ensure that economic activity on the Internet can proceed unfettered and that intellectual property rights are respected around the world"

Here Coviello is completely at odds with the rest of the cybersec community.

Yes, limited intellectual property protections for a limited time are the lifeblood of the modern economy, especially a "knowledge economy" like the United States. But, our zeal to protect intellectual property has lead to a cyber-police-state, where the DMCA is used to chill speech and patent trolls destroy innovation.

In justifying this principle, Coviello says "The rule of law must rule". I'm not sure what he means by that. The phrase "rule of law" doesn't mean the principle that law must crack down on wrongdoers. Instead, the phrase means that everyone is subject equally to the law, even the powerful. It means whichever laws we have, they should be applied equally.

And the lack of even treatment under the law is exactly why people are upset with the current intellectual property regime. One example is how Disney appears to have tailored copyright law to its own benefit at the expense of everyone else. Another example is how the DMCA is wholly unbalanced between the powerful and the powerless.

We see a theme developing here: Coviello (and by extension RSA) is clearly coming down on the side of law enforcement against individual rights.

#4 "Respect and ensure the privacy of all individuals"

Unlike Coviello's first three points, this seems reasonable. Maybe he isn't such a bad guy.

But, later in his remarks, it's clear that he's not really standing up for privacy. He says "Governments have a duty to create and enforce a balance ... that embraces individual rights and collective security". It's quite clear from the nature of his arguments where he sees the correct balance -- toward maximum security, and consequently, minimal individual rights.


My translation of Coviello's comments is this: "If we had backdoored our crypto, would that have been such a bad thing?". Betraying customer trust on behalf of the government is consistent with his entire speech: trusting the NSA, trusting NIST, and most of all, trusting the good intentions of the police state.

Masscan: I spend more attention on the first principle about "cyberweapon" than the remaining three. I get the impression it's targeted at me, since I build cyberweapons (like my masscan tool). I get the impression he's saying "don't condemn us for our bad behavior, we aren't as bad as those cyberweapon builders! Condemn them instead!!".

1 comment:

Unknown said...

Interesting article Rob. Just correct Art's surname. He's called Caviello and Coviella on the same article several times.