Stuxnet and collateral damage
Posted: January 19, 2011 Filed under: Internet, policy, risks, Security Leave a comment »To update von Clausewitz’s maxim for contemporary times: “Malware is the continuation of politics by other means.” This is one of the lessons from the ongoing Stuxnet debate: targeted computer attacks has become part and parcel of nation states’ arsenal in carrying out foreign policy objective.
There have been solid technical analysis of Stuxnet’s complex inner workings, but the debate on policy implications is starting in earnest now. One question that has been overlooked is the extent of collateral damage tolerable from carrying out this type of attack.
Stuxnet was the odd combination of both being targeted very precisely and casting an extremely wide net. The malicious payload that infected industrial controllers only kicked into gear when it detected a very specific environment, believed to represent the uranium enrichment plant operating in Iran. On the other hand, because the software development for such critical facilities typically takes place behind air-gapped networks, the worm had to be released into the wild. Its humble beginnings were no different than the self-propagating malware that wreaked havoc in the past: Code Red, Nimda, Blaster, Slammer, … Except Stuxnet was light-years ahead of its predecessors in terms of sophistication and sheer number of different vectors used to infect new targets.
Because it was after a very specific target that would not be reachable directly from the Internet, the designers threw the kitchen sink at the problem, including an exploit that allowed the malware to propagate by USB drives between machines. This meant Stuxnet would eventually reach places that vanilla malware does not, including compartmentalized networks that been assumed to be isolated from the warzone that is the Internets. Stuxnet was designed to explore every nook and cranny in that space, in pursuit of its ultimate target, the programmable logic controllers destined to spin enrichment centrifuges. Given its non-discriminatory approach to spreading, it is surprising that most of the infections remained contained in Iran, with a smaller number in Indonesia and India– countries starting with “I” apparently did not fare well. By comparison the number of infections in the US were not significant. The first question then is what other systems are “fair game” on the way to reaching an objective. Stuxnet case is complicated by the fact that the presumed target is not directly reachable. Intermediate stepping stones are required to get there, which may end up being personal computers, Internet cafes, anything that is ultimately connected to the persons of interest in some unexpected six-degrees-of-separation logic. (This brings to mind the quote from Robert H. Morris Sr: “To a first approximation, every computer in the world is connected with every other computer.”) Worse the connections are not known in advance: it is a massively parallel search, exploring every possible path along the way in hopes that one may cross paths with the actual target. Such expansive views on scope risk turning every machine in the world into collateral damage in the name of reaching the destination.
The second dimension concerns damage. On most machines it infected, Stuxnet did nothing but propagate to other targets. Again there is a similarity to the massive worm outbreaks of good old days– with the exception of Witty, most contained no malicious payload. Even if it happened to land on a computer where some unlucky engineer had been tasked with developing software for industrial controllers for an unrelated industry, the tampered product would likely have worked flawlessly for its intended environment. This is not to say that there was no cost to Stuxnet for those in its path: there is still time and productivity wasted on removing the malware from the system, both for individuals and companies. On the other hand, economic impact for software vendors is murky. Antivirus vendors benefit from trumping up scare stories. This one fits the bill perfectly, complete with cloak-and-dagger nation state implications. Similarly it is difficult to argue that MSFT suffered great expense in addressing the vulnerabilities implicated in Stuxnet, considering their leisurely patch schedule in the presence of known 0-days.
In any case, it is misleading to focus on the designers’ intent in not harming systems– far from being a magnanimous gesture on their part, it was simply following best-practices in malware design. Noisy/buggy malware is the one that gets noticed and removed. Stealth is a survival strategy: even run-of-the-mill keystroker recorders designed to be steal credit cards in the name of petty theft strive to be very stable. Vandalizing user data, blue-screening the system or displaying in-your-face popup advertisments is the surefire way to get your malware noticed by an AV vendor. (Interesting enough Stuxnet was noticed by Kaspersky and filed away as vanilla malware a full year before its inner workings were properly understood.) The problem is that modern operating systems are incredibly complex, and it is not possible to ensure that malware lives up to its promise of zero collateral damage. When Robert Morris Jr. released the Internet worm, he intended it to propagate only, with no malicious payload and barely noticeable load on infected systems. But a slight miscalculation/bug in the logic caused it to overwhelm networks and machines. Even MSFT can not ship software updates without breaking users in some unexpected, obscure configuration– and they have much higher Q&A expertise and test matrix then organizations developing malware.
The network infrastructure has long been a battle ground, with participants of every scale from hobbyist vandals to organized crime groups and nation states, duking it out with packets. The question raised by Stuxnet is whether these frontlines will expand to includes the machines owned/used by ordinary citizens, turning them into dispensable pawns in pursuit of an elusive objective.
CP
Customer lock-in and US mobile market
Posted: July 8, 2008 Filed under: Internet, markets, oped, policy, software Leave a comment »Dated story from The Unofficial Apple Weblog hints at the sad state of competition in the US wireless market. As the release date for the second-generation iPhone draws near, news stories pointed out that AT&T and Apple are trying harder to lock down the phones. The widespread use of jailbreaking on first generation phones caused AT&T to miss out on significant revenue as customers bought the devices without any intention of signing up for the corresponding wireless service. This time around buyers are forced encouraged to surrender the money upfront: phones are pre-bricked according to CNet and must be activated in the store, along with minimum 2 year commitment to a wireless contract. (AT&T to Apple customers: “submit to our authority!”) Expect delays as the purchase itself got complicated by doing credit checks and all the other ceremonies that go with signing up for service plans.
It is still possible to purchase the device itself, but at steep premium. This is standard in the US market where phones are subsidized by the wireless service contract, and sold below cost. There are early-termination fees in case the user decides to part ways with the carrier before they generated enough revenue to offset the cost of the subsidy. But there is still a gap in the logic as the TUAW points out in the article Doing the wacky AT&T math: it is still more economical to sign up for the contract and then break it after one month instead of purchasing the unlocked device.
On that note, Jonathan Zittrain was at Google NYC yesterday to talk about his recently published book “The Future of the Internet and how to stop it.” One of the highlights from the presentation involved a picture of Steve Jobs on stage discussing the application approval process for iPhone, describing the criteria used to decide when code is unworthy of running on the sacred device. Alongside the usual suspects “malicious” and “bandwidth hog” were one that captured Apple’s attitude towards open platforms: “unforeseen.”
cemp
Charging by the gigabyte and end of the free bandwidth lunch
Posted: June 15, 2008 Filed under: Internet, markets, oped, policy Leave a comment »This Sunday an article in the NYT takes up the question of bandwidth pricing, joining earlier speculation on this blog about the twilight of flat fee subscription models. The article with the self-explanatory title “To curb Internet traffic, access provider are beginning to charge by the gigabyte” cites an experiment Time Warner is running in Beaumont where customers can choose between 5GB, 20GB or 40GB capped monthly plans. In case you have never heard of Beaumont: the article states that it is a city in Texas with around 100K population– exactly the type of place to run such an experiment without attracting a lot of attention or generating resentment from a cosmopolitan audience spoiled on the comforts of streaming YouTube videos all day long. It is a good, balanced piece aside from the author’s confusion between BitTorrent the protocol verses BitTorrent the company when recounting the Comcast debacle
These magic 5/20/40GB numbers also raise the question of exactly what the average bandwidth usage is. There seems to be few academic papers in this area. One TTime-Warner exedcutive quoted in the article says:
“Average customers are way below the caps… These caps give them years’ worth of growth before they’d ever pay any surcharges.”
The only figure cited in the article is that 95% of customers use under 40GB of traffic each month. (It is not clear if this is downstream, upstream or combined.) Chances are Time-Warner has sliced and diced the bandwidth usage data very carefully before choosing these numbers and associated prices that range from $30 to $50, and the $1 per GB overage fees for exceeding the caps. One problem is there is no single average Internet user, as the author of the NYT piece argues very convincingly. The novice checking email and movie times could be happy with the 5GB cap but an addict streaming videos or watching TV shows on Hulu.com is likely to run over even the more generous limits. One Netflix download is a couple of GB. Watching a handful of movies every month may not break the bank in this model but at the surcharge rates of 1$/GB, suddenly a movie ticket or rental from the local store is competitive with what used to be “free, unlimited” instant viewing. More importantly there is a network version of Parkinson’s law which states that content expands to saturate the bandwidth available. As the capacity of networks increase, more bandwidth-hungry application are introduced.
So far it is an experiment but if this model goes mainstream, it would threaten the revenue stream for media companies. Netflix and Hulu are dependent on consumers being able to stream their content. Until now subscribers did not have to dutifully count their bytes the way cell-phone users count their minutes. An iTunes download is not competing for scarce bandwidth quoates with a high-definition movie from XBox Live Marketplace. Even if the bandwidth is not capped but throttled in the interest of fairness, it will create a mindset of scarcity and zero-sum choices between different options. On the bright side, broadband users may become more discerning and not forward that inane lolcatz video around one more time.
The alternative is for the content providers to compensate the ISPs. In this model Netflix would pay Comcast directly and those downloads would not count towards the monthly quota. In effect this is a type of revenue sharing or extortion depending on which side of the deal one is focusing on. It also creates a troubling situation for network neutrality. When some content is “free” and others require payment in scarce bandwidth allocation, speakers that are not able to pay ISPs to absorb access costs are in effect disadvantaged. Critics might content the same situation applies today, in that companies with large data centers and fat egress pipes are better able to push their content to an audience. Yet those correspond to capital invesments in the endpoints, fully under control of the speaker. An ISP metering bandwidth is situated between the content provider’s data center and the target audience, able to manipulate economic incentives for accessing that content regardless of how state-of-the-art the data center originating the content may have been. This is a case where artificially created bandwidth scarcity may have the effect of picking winners and losers between business models, as well as content providers.
cemp
CFP2008: Deep thoughts on deep packet inspection
Posted: May 31, 2008 Filed under: Internet, oped, policy, privacy, risks Leave a comment »DPI came up on the Friday morning discussion of network neutrality and when exactly an ISP has crossed the line. There is a material distinction between “content” and “meta-data” of communications. For example the rules around a pen register / trap-trace and different and more stringent than those governing a full wiretap. For IP communications, the parallel for phone number is the header of an IP packet, which might describe its destination, how much data it contains and perhaps hint at the protocol. Looking past that into the payload of the packet is what can be termed “deep packet inspection.”
On the panel it was pointed out that DPI simply not commercially feasible until recently. The hardware required to look at every packet flying by a high-speed gigabit link is not exactly stocked at the local BestBuy. According to David Reed, initial demand was driven by intelligence applications. But Moore’s law does not discriminate between military and commercial use. As soon as the capability was within striking distance for large ISPs, people started looking for ways to capitalize on it: in other words, a solution in search of a problem. As with most of these contrived, artificially created uses of technology that start from the ISDN position (“innovations-subscribers-don’t-need”) the first attempt has proved less than brilliant.
The proposals from Charter and British-Telecom cross the line from dubious into no-doubt-about-it nefarious. This is the one scenario where less intrusive solutions are not possible because the business model favors collecting more data about customers. There is an interesting correlation between how far into the IP packet the ISP must look and the social acceptability of its objectives. Comcast can manage its scarce resources by simply counting bits– looking at the size of the IP packets sent, without regard for its destination or port. As it turned out their first crude, inept attempt did look at port numbers and single out BitTorrent. Luckily bandwidth is bandwidth and while the ISP has every right to create different pricing models that may require limiting resources consumed by the heaviest users, it has no business deciding which protocol the customer will use or what endpoints they choose to communicate with. Looking at the size of the IP packet and keeping tabs on usage is good enough for this purpose.
Looking at more data in the packet cranks up the intrusiveness level. Destination address will reveal the websites the customer is visiting. Advertising networks have traditionally relied on this information for targeting. This is the same data Charter and British-Telecom are going after. The final step will involve looking past the header and directly into the contents of the packet. Moore’s law is not on the side of privacy in this case. The CFP discussion and Peter Ohm’s ideas about the ECPA connection are very timely.
cemp
