[SecurityRatty] tag: decent

The Two Classes of Airport Contraband

Tue, 23 Sep 2008 01:47:04 +0000

Airport security found a jar of pasta sauce in my luggage last month. It was a 6-ounce jar, above the limit; the official confiscated it, because allowing it on the airplane with me would have been too dangerous. And to demonstrate how dangerous he really thought that jar was, he blithely tossed it in a nearby bin of similar liquid bottles and sent me on my way.

There are two classes of contraband at airport security checkpoints: the class that will get you in trouble if you try to bring it on an airplane, and the class that will cheerily be taken away from you if you try to bring it on an airplane. This difference is important: Making security screeners confiscate anything from that second class is a waste of time. All it does is harm innocents; it doesn't stop terrorists at all.

Let me explain. If you're caught at airport security with a bomb or a gun, the screeners aren't just going to take it away from you. They're going to call the police, and you're going to be stuck for a few hours answering a lot of awkward questions. You may be arrested, and you'll almost certainly miss your flight. At best, you're going to have a very unpleasant day.

This is why articles about how screeners don't catch every -- or even a majority -- of guns and bombs that go through the checkpoints don't bother me. The screeners don't have to be perfect; they just have to be good enough. No terrorist is going to base his plot on getting a gun through airport security if there's decent chance of getting caught, because the consequences of getting caught are too great.

Contrast that with a terrorist plot that requires a 12-ounce bottle of liquid. There's no evidence that the London liquid bombers actually had a workable plot, but assume for the moment they did. If some copycat terrorists try to bring their liquid bomb through airport security and the screeners catch them -- like they caught me with my bottle of pasta sauce -- the terrorists can simply try again. They can try again and again. They can keep trying until they succeed. Because there are no consequences to trying and failing, the screeners have to be 100 percent effective. Even if they slip up one in a hundred times, the plot can succeed.

The same is true for knitting needles, pocketknives, scissors, corkscrews, cigarette lighters and whatever else the airport screeners are confiscating this week. If there's no consequence to getting caught with it, then confiscating it only hurts innocent people. At best, it mildly annoys the terrorists.

To fix this, airport security has to make a choice. If something is dangerous, treat it as dangerous and treat anyone who tries to bring it on as potentially dangerous. If it's not dangerous, then stop trying to keep it off airplanes. Trying to have it both ways just distracts the screeners from actually making us safer.

Federal grand jury meets on Palin hacking case

Tue, 23 Sep 2008 00:00:00 +0000

A federal grand jury convened to hear testimony about the hack of GOP vice presidential nominee Sarah Palin's e-mail account, and the lawyer representing the college student suspect called his client 'a decent and intelligent young man.'

Security Matters: Airport Pasta-Sauce Interdiction Considered Harmful

Thu, 18 Sep 2008 14:00:00 +0000

---

Bruce Schneier is chief security technology officer of BT. His new book is Schneier on Security.

Summarizing August's Threatscape

Wed, 10 Sep 2008 02:57:32 +0000

Following the previous summaries of June's and July's threatscape based on all the research published during the month, it's time to summarize August's threatscape.

August's threatscape was dominated by a huge increase of rogue security software domains made possible due to the easily obtainable templates for the sites, several malware campaigns targeting popular social networking sites, Russian's organized cyberattack against Georgia with evidence on who's behind it pointing to "everyone" and a few botnets dedicated to the attack making the whole process easy to outsource and turn responsibility into an "open topic", several new web based botnet management kits and tools found in the wild, evidence that the 76service may in fact be going mainstream since the concept of cybercrime as a service is already emerging, and, of course, a peek at India's CAPTCHA solving economy, where the best comment I've received so far is that every site should embrace reCAPTCHA, so that while solving CAPTCHAs and participating in the abuse of these services in question, they would be also digitizing books. As usual, August was a pretty dynamic month for the middle of summer, with everyone excelling in their own malicious field.

01. McAfee's Site Advisor Blocking n.runs AG - "for starters"
False positives are rather common, especially when you're aiming to protect the end user from himself and not let him gain access to "hacking tools", but you're flagging security tools as badware and missing over half the SQL injected domains currently in the wild due to the fact that SiteAdvisor's community still haven't reviewed them - that's not good

02. The Twitter Malware Campaign Wants to Bank With You
Twitter, just like every Web 2.0 application, isn't and shouldn't be treated as a unique platform for dissemination of malware, since it's dissemination of malware "as usual". This particular malware campaign was not just executed by a lone gunman, but also, was taking advantage of a flaw allowing the author to add new followers potentially exposing them to the malicious links serving banker malware. For the the time being, MySpace, Facebook and Twitter accounts are the very last thing a malicious attacker is interesting in puchasing accounting data for, but how come? It's all due to the oversupply of automatically registered accounts at other popular services, whose ecosystem of Internet properties empower cybercriminals with the ability to launch, host and distribute malware in between abusing the very same company's services for the blackhat SEO campaign and redirection services. Theoretically, a distributed network build upon the services provided by a single company is faily easy to accomplish due to the single login authentication applied everywhere. A singly bogus Gmail account results in a blackhat SEO hosting blogspot account, flash based redirector hosted at Picasa, and a couple of thousands of spam emails sent automatically sent through Gmail in order to abuse it's trusted email reputation

03. Compromised Web Servers Serving Fake Flash Players
If aggressiveness matter, this campaign consisting of remotely injected redirection scripts at legitimate sites next to on purposely introduced malware oriented domains, was perhaps the most aggressive one during the month. Fake flash players, fake windows media players and fake youtube players are prone to increase as a social engineering tactic of choice due to the template-ization of malware serving sites for the sake of efficiency

04. Pinch Vulnerable to Remotely Exploitable Flaw
With Zeus vulnerable to a remotely exploitable flaw allowing cybercriminals to hijack other cybercriminal's Zeus botnet, private exploits targeting the still rather popular at least in respect to usefulness Pinch malware are leaking, allowing everyone including security researchers to take a peek at a particular campaign running unpatched Pinch gateway

05. Phishers Backdooring Phishing Pages to Scam One Another
Backdooring phishing pages is perhaps the most minimalistic approach a cybercriminal wanting to scam another cybercriminal is going to take. The far more beneficial approach that I've encountered on a couple of occassions so far, would be to backdoor a proprietary web malware exploitation kit, release it in the wild, let them put the time and efforts into launching the campaigns, then hijack their botnet. In fact, the possibilities for backdooring copycat web malware exploitation kits in order to take advantage of the momentum while introducing a non-existent kit has always been there at the disposal of malicious attackers. One thing's for sure - there's no such thing as a free web malware exploitation kit, just like there isn't such thing as a free phishing page

06. Email Hacking Going Commercial - Part Two
In between the scammers promising the Moon and asking for anything between $20 to $250 to hack into an email account, there are "legitimate" services taking advantage of web email hacking kits consisting of each and every known XSS vulnerability for a particular service in an attempt to increase the chances of the attacker. And given that the majority of these have been patched a long time ago, social engineering comes into play. Do these services have a future? Definitely as more and more people are in fact looking for and requesting such services, in fact, they're willing to pay a bonus considering how exotic it is for them to have any email that they provide hacked into and the accounting data sent back to them

07. The Russia vs Georgia Cyber Attack
Event of the month? Could be, but just like every "event of the moth" everyone seems to be once again restating their "selective retention" preferences. What is selective retention anyway? Selective retention is basically a situation where once Russian is attacking another country's infrastructure, you would automatically conclude that it's Russian FSB behind the attacks and consciously and subconsciously ignore all the research and articles telling you otherwise, namely that the FSB wouldn't even bother acknowledging Georgia's online presence, at least not directly. Moreover, talking about the FSB as the agency behind the cyberattacks indicates "selective retention", talking about FAPSI indicates better understanding of the subject.

In times when cybercrime is getting ever easier to outsource, anyone following the news could basically orchestrate a large scale DDoS attack against a particular country in order to forward the responsibility to any country that they want to. In Russia vs Georgia, you have a combination of a collectivist society that's possessing the capabilities to launch DDoS attacks, knows where and how to order them, and that in times when your country is engaged in a war conflict drinking beer instead of DDoS-sing the major government sites of the adversary is not an option.

Selective retention when combined with a typical mainstream media's mentality to "slice the threat on pieces" instead of turning the page as soon as possible, is perhaps the worst possible combination. Furthermore, coming up with Social Network analysis of the cyberattacks would produce nothing more but a few fancy graphs of over enthusiastic Russian netizen's distributing the static list of the targets. The real conversations, as always, are happening in the "Dark Web" limiting the possibilities for open source intelligence using a data mining software. Things changed, OPSEC is slowly emerging as a concept among malicious parties, whenever some of the "calls for action" in the DDoS attacks were posted at mainstream forums, they were immediately removed so that they don't show up in such academic initiatives

08. 76Service - Cybercrime as a Service Going Mainstream
The reappearance of the 76Service allowing everyone to log into a web based interface and collect all the accounting and financial data coming from malware infected hosts across the globe for the period of time for which they've bought access, indicates that what used to be proprietary services which were supposedly no longer available, are now being operated in a do-it-yourself fashion. Goods and products mature into services, so from a cost-benefit analysis perspective, outsourcing is naturally most beneficial even when it comes to cybercrime

09. Who's Behind the Georgia Cyber Attacks?
If it's the botnets used in the attacks, they are known, if it's about who's providing the hosting for the command and control, it's the "usual suspects", but just like previous discussion of the Russian Business Network, it remains questionable on whether or not they work on a revenue-sharing basis, are simply providing the anti-abuse hosting, or are the shady conspirators that every newly born RBN expert is positioning them to be.

Cheap conversation regarding the RBN ultimately serves the RBN, and just for the record, there's a RBN alternative in every country, but the only thing that remains the same are the customers, tracking the customers means exposing the RBN and the international franchises of their services, making it harder to identify their international operations. And given that the "tip of the iceberg", namely RBN's U.S operations remain in tact, talking about taking actions against their international operations in countries where cybercrime law is still pending, is yet another quality research into the topic building up the pile of research into the very same segments of the very same ISPs.

Just for the record - these "very same ISPs" are regular readers of my blog, and if you analyze their activities, they're definitely reading yours too, ironically, surfing through gateways residing within their netblock that are so heavily blacklisted due to the guestbook and forum spamming activities that their bad reputation usually ends up in another massive blackhat SEO campaign exposed.

10. Guerilla Marketing for a Conspiracy Site
Conspiracy theorists may in fact have a new wallpaper to show off with

11. Banker Malware Targeting Brazilian Banks in the Wild
When misinformed and not knowing anything about a particular underground segment, a potential cybercriminal would stick to using such primitive compared to the sophisticated banker malware kits currently in the wild. These sophisticated banker malware kits are often coming in a customer-tailored proposition, with their price increasing or decreasing based on the specific module to be included or excluded. For instance, a module targeting all the U.S banks that has been put in a "learning mode" long before it was made available to the customers can be requested and is often available with the business model build around the customer's wants

12. Compromised Cpanel Accounts For Sale
Despite the massive SQL injection attacks, accounting data for Cpanel accounts coming from malware infected hosts seems to be once again coming into play, which isn't surprising given the filtering capabilities and log parsing tools today's botnet masters are empowered with. These very same compromised Cpanel accounts and the associated domains often end up so heavility abused that it's tactics like these that are driving the underground multitasking mentality, namely, abusing a single compromised account for each and every malicious online activity you can think of - even hosting banners for their blackhat SEO services

13. A Diverse Portfolio of Fake Security Software - Part Two
In August we saw a peek of fake security software, neatly typosquatted domains whose authors earn revenue each and every time someone installs the software. The vendors behind this software are forwarding the entire process of driving traffic to those excelling in aggregating traffic and abusing it. As anticipated, underground multitasking started taking place within the fake security software domains, with the people behind them introducing client-side exploits in order to improve the monetization of the traffic coming to the sites

14. DIY Botnet Kit Promising Eternal Updates
There's no such thing as a (quality) free botnet kit. What's for free is often the leftovers from a single feature of a more sophisticated proprietary botnet kit. This one in particular is however trying to demonstrate that even a plain simple GUI botnet command and control software can achieve the results desired by an average script kiddie, and not necessarily satisfy the needs of the experienced botnet master

15. A Diverse Portfolio of Fake Security Software - Part Three
As far as trends and fads are concerned, the majority of the domains are currently parked at up to four different IPs, with most of them going into a stand by mode once they get detected and reappear back couple of weeks later

16. Fake Celebrity Video Sites Serving Malware - Part Two
Due to the template-ization of fake celebrity video sites, and simple traffic management tools combined with blackhat SEO tactics, these sites are also prone to increase in the next couple of months

17. Web Based Botnet Command and Control Kit 2.0
It's releases like these that remind us of the amount of time, efforts and personal touch that a malicious attacker would put into such a management kit, currently acting as a personal benchmark as far as complexity and features indicating the coder's experience with botnets is concerned. What's he's failing to anticipate is that this kit is sooner or later going to turn into the "MPack of botnet management"

18. A Diverse Portfolio of Fake Security Software - Part Four
Keep it coming, we'll keep it exposing until we end up getting down to the "fake software vendor" itself

19. Automatic Email Harvesting 2.0
Email harvesting is slowly maturing into a vertically integrated service provided by vendors of managed spamming services. This email harvesting module is aiming to close the page on text obfuscation in respect to fighting spam, and is successfully recognizing and collecting such publicly available emails. From a psychological perspective though, the end users who bothered to obfuscate their emails are less likely to fall victims into phishing scams, with the obfuscation speaking for a relatively decent situational awareness on how they emails end up in a spammer's campaign

20. Fake Porn Sites Serving Malware - Part Three
As a firm believer in sampling in order to draw conclusions on the big picture, an approach that has proven highly accurate in modeling historical and upcoming tactics and behavior, a single fake porn site serving malware campaign usually exposes a dozen of misconfigured redirectors, which thanks to their misconfiguration despite the evasive features available within the kits, expose another dozen of malware campaigns

21. Facebook Malware Campaigns Rotating Tactics
With no particular flaw exploited other than the social engineering tactic of using already compromised Facebook accounts who would automatically spam all their friends with links to flash files hosted at legitimate services, the more persistent the campaign is, the higher the chance that it will scale enough. This campaign in particular is mainly relying on rotation of tactics, namely different messages, different services and file extensions used in order to trick someone's friend into visiting the URL. With the number of users increasing, the most popular social networking sites are naturally going to be permanently under attacks from cybercriminals

22. Fake Security Software Domains Serving Exploits
Despite that it's a single brand, namely the International Virus Research Lab that's introducing client-side exploits within it's portfolio of domains, the opportunity for abuse may be noticed by the rest of the brands pretty fast

23. Exposing India’s CAPTCHA Solving Economy
Taking into consideration the mentality surrounding a particular country's cybercriminals, how they think, how they operate, what do they define as an opportunity, and how much personal efforts are they willing to put into their campaigns, I wouldn't be surpised if a Russian vendor offering 100,000 bogus Gmail accounts for sale has in fact outsourcing the account registration process to Indian workers, paid them pocket change and is then reselling them ten to twenty times higher than the price he originally paid for them.

The text based CAPTCHAs used at the major Internet portals and services, are so efficiently abused by this approach that continuing to use is directly undermining the trust these email providers and services often come with as granted

Modelling Air Traffic Control

Mon, 08 Sep 2008 09:27:26 +0000

Today I will discuss a general approach to model air traffic control (ATC) using our CEP/EP reference architecture which is an application of the mature JDL multisensor data fusion model.

ATC is an excellent working example of complex event processing. Radar and GPS provide the basic sensory information to accurately track and trace the position of each aircraft in the area of responsibility (AOR) of a particular control tower/zone. Naturally, sensory information is preprocessed and formatted in such a way that the data can be processed upstream by multiple real-time applications.

Before we look at complex ATC scenarios, such as “potential collision” or “aircraft off approach vector” we must trace and trace individual objects, aircraft-objects, accurately with very high confidence. In addition to tracking aircraft-objects, there is a database of information about the aircraft (ideally), such as make, model, age, range, passengers and other properties about the aircraft-object. In addition, there is a state-model for each aircraft, for example the aircraft might be “on the ground”, “approaching the runway”, “cleared for takeoff”, “cruising altitude”, “approaching runway”, “final decent” etc.

Tracking and tracing individual aircraft is what is generally referred to as “object refinement” in our CEP/EP reference architecture. The reason we call this function “object refinement” is that system engineers are focused on optimizing the situational knowledge about individual objects. Sometimes we refer to this function as “track and trace” because that is what we are doing to each object in the model. In Marc Adler’s recent shoplifting scenario, Marc was interested in tracking and tracing people in a store using imaging processing techniques to estimate their behavioral patterns. In the same way, before we can process for scenarios such as “potential shoplifter” or “suspicious criminal gang activity” we must be able to accurately process (track and trace) individual object, such as people or merchandise.

Back to aircraft and ATC, the “complex event processing” begins when we are looking about object-object relationships, in this model, aircraft-to-aircraft, but this is an overly simplistic model, as we have not yet added (to our model) ground features (towers, buildings, power lines), weather (storm cells, wind) and other flying objects (known migratory bird paths, swarms of insects) to our simple model.

Complex event processing occurs when we are processing multiple objects in our model looking for threats in real-time. Practically speaking, all ATC applications are CEP applications. This means that vendors and integrators who build ATC applications are also CEP vendors.

Editorial Note: CEP/EP has been around for a long time and was not recently invented in the past decade as some “inventors” would like for us to believe.

As you can imagine, there is considerable “complex event processing” that goes on “behind the scenes” to provide air traffic controllers and pilots situational knowledge into the “friendly skies”. As you might further imagine, the situation is more complex when the skies are “not so friendly”, for example, in air combat situations.

Processing myriad objects is not the end of the processing “chain”. For example, decisions are being made constantly about potential damage, alternative airports, and more. In our reference model, we refer to this, generally speaking, as “impact assessment” because we must take an estimated detected complex event, for example “aircraft collision,” and estimate potential damage based on numerous factors such as, the amount of jet fuel in the aircrafts and the location of the aircrafts (over a large city or rural area, near a hospital and emergency services). Regardless of the scenario, an impact assessment is normally required before optimal decisions can be made.

This is true, by the way, for our shoplifting example (the impact is different if a piece of gum is stolen versus a $1,000,000 diamond necklace or weapons-grade nuclear material) and other scenarios and models. Static data (information about objects) is required for accurate decision processing.

Impact assessment is not the end of the “knowledge chain”. Decisions are constantly being made that effect resources. For example, suggestion an alternative route for an aircraft is a resource management decision. Turning on and off radar or switching to alternative tracking devices is a resource management function. In our CEP/EP reference model (based on the JDL data fusion model), we call this “resource management”. This function includes contacting emergency services and directing them to a potential crash location or sending out a message to instruct all aircraft to stay off a certain radio frequency. Resource management is critical.

Our simple ATC model today is by no means complete, it just scratches the surface. In fact, I have a very close friend, Mark Secrist, who is a former Marine fighter pilot and currently a senior captain for American Airlines. I have asked Mark to read this post and help me further refine this crude “laymans” ATC model (Thanks Mark!).

The Commoditization of Anti Debugging Features in RATs

Wed, 03 Sep 2008 03:46:00 +0000

Is it a Remote Administration Tool (RAT) or is it malware? That's the rhetorical question, since RATs are not supposed to have built-in Virustotal submission for the newly generated server, antivirus software "killing" and firewall bypassing capabilities.

Taking a peek into some of commodity features aiming to make it harder to analyze the malware found in pretty much all the average DIY malware builders available at the disposal at the average script kiddies, one of the latest releases pitched as RAT while it's malware clearly indicates the commoditization and availability of such modules :

" - FWB (DLL Injection, The DLL is Never Written to Disk)
- Decent Strong Traffic Encryption
- Try to Unhook UserMode APIs
- No Plugins/3rd Party Applications
- 4 Startup Methods (Shell, Policies, ActiveX, UserInIt)
- Set Maximum Connections
- Built In File Binder
- Multi Threaded Transfers
- Anti Debugging (Anti VMware, Anti Sandboxie, Anti Norman Sandbox, Anti VirtualPC, Anti Anubis Sandbox, Anti CW Sandbox)"

Malware coders or "malware modulators"? With the currently emerging malware as a web service toolkits porting common malware tools to the web, drag and drop web interfaces for malware building are definitely in the works.

Facebook Malware Campaigns Rotating Tactics

Wed, 27 Aug 2008 06:04:51 +0000

Trust is vital, and coming up with ways to multiply the trust factor is crucial for a successful malware campaign spreading across social networks. Excluding the publicly available malware modules for spreading across popular social networking sites, using the presumably, already phished accounts for the foundation of the trust factor, the recent malware campaigns spreading across Facebook and Myspace are all about plain simple social engineering and a combination of tactics.

However, in between combining typosquatting and on purposely introducing longer subdomains impersonating a web application's directory structure, there are certain exceptions. Like this flash file hosted at ImageShack and spammed across Facebook profiles, which at a particular moment in the past few days used to redirect to client-side exploits served on behalf of a shady affiliate network that's apparently geolocating the campaigns based on where the visitors are coming from.

img228.imageshack .us/img228/3238/gameonit4.swf redirects to ermacysoffer .info - (216.52.184.243) and to tracking.profitsource .net (67.208.131.124) that's also responding to p223in.linktrust .com (67.208.131.124). Just for the record, we also have halifax-cnline.co.uk parked at 216.52.184.243, 69.64.145.229 and 69.64.145.229, known badware IPs related to previous fraudulent activity.

Moreover, cross-checking this campaign with another Facebook malware campaign enticing users to visit whitneyganykus.blogspot .com where a javascript obfuscation redirects to absvdfd87 .com and from there to the already known tracking.profitsource .net/redir.aspx?CID=9725&AFID=28836&DID=44292, and given that absvdfd87.com is parked at the now known 69.64.145.229, we have a decent smoking gun connecting the two campaigns.

Facebook is often advising that users stay away from weird URLs, does this mean ignoring ImageShack and Blogspot altogether? The next malware campaign could be taking advantage of DoubleClick and AdSense redirectors - for starters.

[OT rant] Are there any home WiFi routers that DON'T SUCK?

Fri, 22 Aug 2008 20:12:38 +0000

Warning: rant ahead, and names named.

When I'm not traveling, I like to work from home some days rather than endure the trek from Seattle to Redmond (although it's much better now that our own employee transit service has expanded into my neighborhood -- the existence of which is sad commentary on the availability and reliability of Seattle's public transit companies).

This means, of course, that I need fast and stable network connections. Comcast with their PowerBoost is working very well for me. But I just can't find a decent wireless router at all. My Lenovo T61p (with Intel 4965abgn adapter) just won't stay connected to my D-Link DIR-628 and IT'S DRIVING ME CRAZY! (Yes, I've tried various driver versions, from both Lenovo and Intel.)

My house is in an area with a lot of wireless activity -- sometimes I can see nine or ten SSIDs. I'm running draft N on 2.4GHz (which occupies two non-adjacent channels, currently 1 and 4), and I suspect the problem is collision interference. I could shift the router to 5.2GHz, which I probably would help, but then the rest of the computers in my house won't connect. Why, you ask? Well get this: the DIR-628 is part of D-Link's RangeBooster N family. So I stayed in the family and got two DWA-542 adapters for the desktop computers. Yet they only do 2.4GHz! Silly me, I assumed that being in the same family means full support of the router's capabilities.

I'm very tempted to replace my router again -- and I'm thinking that the best option is to get one with dual radios. That way I can move my T61p to 5.2GHz and replace the desktop adapters, while still having single-channel 802.11b/g on 2.4GHz for the Wii and my PlayStation Portable.

Now my request: tell me about your experience with home routers. What do you really like, and why? What should I buy?

Guerilla Marketing for a Conspiracy Site

Thu, 14 Aug 2008 09:58:54 +0000

An image is worth a thousand words they say, especially when it's creative enough to count as a decent guerrilla marketing campaign for Alex Jones' infowars.com :

"Alex Jones is considered by many to be the grandfather of what has come to be known as the 9/11 Truth Movement. Jones predicted the 9/11 attack in a July 2001 television taping when he warned that the Globalists were going to attack New York and blame it on their asset Osama bin Laden. Since 9/11 Jones has broken many of the stories which later became the foundation of the evidence that the government was involved."

Sorry to disappoint, but as always, The Lone Gunmen were first to predict 9/11 in their "Pilot" episode, originally aired on 03/04/2001, obviously several months before Alex Jones did. How did they do it? By having a firm grasp of the obvious I guess.

Memo to the President

Tue, 12 Aug 2008 02:36:31 +0000

Obama has a cyber security plan.

It's basically what you would expect: Appoint a national cyber security advisor, invest in math and science education, establish standards for critical infrastructure, spend money on enforcement, establish national standards for securing personal data and data-breach disclosure, and work with industry and academia to develop a bunch of needed technologies.

I could comment on the plan, but with security the devil is always in the details -- and, of course, at this point there are few details. But since he brought up the topic -- McCain supposedly is "working on the issues" as well -- I have three pieces of policy advice for the next president, whoever he is. They're too detailed for campaign speeches or even position papers, but they're essential for improving information security in our society. Actually, they apply to national security in general. And they're things only government can do.

One, use your immense buying power to improve the security of commercial products and services. One property of technological products is that most of the cost is in the development of the product rather than the production. Think software: The first copy costs millions, but the second copy is free.

You have to secure your own government networks, military and civilian. You have to buy computers for all your government employees. Consolidate those contracts, and start putting explicit security requirements into the RFPs. You have the buying power to get your vendors to make serious security improvements in the products and services they sell to the government, and then we all benefit because they'll include those improvements in the same products and services they sell to the rest of us. We're all safer if information technology is more secure, even though the bad guys can use it, too.

Two, legislate results and not methodologies. There are a lot of areas in security where you need to pass laws, where the security externalities are such that the market fails to provide adequate security. For example, software companies who sell insecure products are exploiting an externality just as much as chemical plants that dump waste into the river. But a bad law is worse than no law. A law requiring companies to secure personal data is good; a law specifying what technologies they should use to do so is not. Mandating software liabilities for software failures is good, detailing how is not. Legislate for the results you want and implement the appropriate penalties; let the market figure out how -- that's what markets are good at.

Three, broadly invest in research. Basic research is risky; it doesn't always pay off. That's why companies have stopped funding it. Bell Labs is gone because nobody could afford it after the AT&T breakup, but the root cause was a desire for higher efficiency and short-term profitability -- not unreasonable in an unregulated business. Government research can be used to balance that by funding long-term research.

Spread those research dollars wide. Lately, most research money has been redirected through DARPA to near-term military-related projects; that's not good. Keep the earmark-happy Congress from dictating how the money is spent. Let the NSF, NIH and other funding agencies decide how to spend the money and don't try to micromanage. Give the national laboratories lots of freedom, too. Yes, some research will sound silly to a layman. But you can't predict what will be useful for what, and if funding is really peer-reviewed, the average results will be much better. Compared to corporate tax breaks and other subsidies, this is chump change.

If our research capability is to remain vibrant, we need more science and math students with decent elementary and high school preparation. The declining interest is partly from the perception that scientists don't get rich like lawyers and dentists and stockbrokers, but also because science isn't valued in a country full of creationists. One way the president can help is by trusting scientific advisers and not overruling them for political reasons.

Oh, and get rid of those post-9/11 restrictions on student visas that are causing (.pdf) so many top students to do their graduate work in Canada, Europe and Asia instead of in the United States. Those restrictions will hurt us immensely in the long run.

Those are the three big ones; the rest is in the details. And it's the details that matter. There are lots of serious issues that you're going to have to tackle: data privacy, data sharing, data mining, government eavesdropping, government databases, use of Social Security numbers as identifiers, and so on. It's not enough to get the broad policy goals right. You can have good intentions and enact a good law, and have the whole thing completely gutted by two sentences sneaked in during rulemaking by some lobbyist.

Security is both subtle and complex, and -- unfortunately -- it doesn't readily lend itself to normal legislative processes. You're used to finding consensus, but security by consensus rarely works. On the internet, security standards are much worse when they're developed by a consensus body, and much better when someone just does them. This doesn't always work -- a lot of crap security has come from companies that have "just done it" -- but nothing but mediocre standards come from consensus bodies. The point is that you won't get good security without pissing someone off: The information broker industry, the voting machine industry, the telcos. The normal legislative process makes it hard to get security right, which is why I don't have much optimism about what you can get done.

And if you're going to appoint a cyber security czar, you have to give him actual budgetary authority -- otherwise he won't be able to get anything done, either.

This essay originally appeared on Wired.com.