Blogger: Dan Blum

One of our service directors likes to quote William Gibson: “The future is here, it’s just unevenly distributed.”

At Microsoft’s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a  way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it’s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.

Blogger: Dan Blum

One of our service directors likes to quote William Gibson: ???The future is here, it???s just unevenly distributed.???

At Microsoft???s Server and Tools Business (STB) Analyst and Tech Ed conferences last week, I saw a vendor and a user community living in the past, present and future with many unevenly distributed capabilities.

In a session on identity management strategy, for example, Microsoft discussed a variety of initiatives. These range from Card Space (futuristic implementation of user-centric Information Card specifications) to ADFS (present day enterprise federation support, though unfortunately lacking full SAML capabilities) to self-service password reset exposed through Office (decidedly backward-looking as this functionality has been available from many vendors through browsers for many years).

In another session on rights management and SharePoint, Microsoft highlighted the opportunity to configure SharePoint libraries to automatically apply Active Directory Rights Management Services protections on downloaded documents. Digital rights management (DRM) is controversial and no strong guarantor of confidentiality. Nonetheless, it is a  way to put futuristic self-protecting wrappers on content so as to prevent its accidental leakage or misuse by honest, cooperative users. Because it???s not something that can resist certain types of malicious attackers, many security professionals look down their noses at rights management. Nonetheless, preventing accidental misuse of enterprise information is a big part of the space. It was clear from the number of people in the room asking intelligent questions suggesting realistic expectations that customers see potential value for this technology.

Finally, I was impressed by a presentation on IPSec, PKI and NAP by a Brazilian university IT manager named Rodrigo Imaginario. Starting three years ago, the university combined its student and administrative networks into a single network. Yet servers running ERP and containing administrative content (such as grading information) need to be protected from a subset of students going through their hacking stage. Imaginario implemented a logical security zoning overlay on top of the network using IPSEC in Windows. In the restricted zone, servers only accept connections from Kerberos-authenticated IPSEC clients in the administrative domain. Today, the authentication is being upgraded to use PKI for secure, all campus wireless networking. Imaginario indicated the university took the Windows IPSEC route approach because no additional software had to be purchased. Configuration was difficult, he said, but will get easier with Windows Server 2008. This sounds like an idea whose time has come.

"Bricked" is the term, and Apple isn't the least bit apologetic about it.

Computer companies want more control over the products they sell you, and they're resorting to increasingly draconian security measures to get that control. The reasons are economic.

Control allows a company to limit competition for ancillary products. With Mac computers, anyone can sell software that does anything. But Apple gets to decide who can sell what on the iPhone. It can foster competition when it wants, and reserve itself a monopoly position when it wants. And it can dictate terms to any company that wants to sell iPhone software and accessories.

This increases Apple's bottom line. But the primary benefit of all this control for Apple is that it increases lock-in. "Lock-in" is an economic term for the difficulty of switching to a competing product. For some products -- cola, for example -- there's no lock-in. I can drink a Coke today and a Pepsi tomorrow: no big deal. But for other products, it's harder.

Switching word processors, for example, requires installing a new application, learning a new interface and a new set of commands, converting all the files (which may not convert cleanly) and custom software (which will certainly require rewriting), and possibly even buying new hardware. If Coke stops satisfying me for even a moment, I'll switch: something Coke learned the hard way in 1985 when it changed the formula and started marketing New Coke. But my word processor has to really piss me off for a good long time before I'll even consider going through all that work and expense.

Lock-in isn't new. It's why all gaming-console manufacturers make sure that their game cartridges don't work on any other console, and how they can price the consoles at a loss and make the profit up by selling games. It's why Microsoft never wants to open up its file formats so other applications can read them. It's why music purchased from Apple for your iPod won't work on other brands of music players. It's why every U.S. cellphone company fought against phone number portability. It's why Facebook sues any company that tries to scrape its data and put it on a competing website. It explains airline frequent flyer programs, supermarket affinity cards and the new My Coke Rewards program.

With enough lock-in, a company can protect its market share even as it reduces customer service, raises prices, refuses to innovate and otherwise abuses its customer base. It should be no surprise that this sounds like pretty much every experience you've had with IT companies: Once the industry discovered lock-in, everyone started figuring out how to get as much of it as they can.

Economists Carl Shapiro and Hal Varian even proved that the value of a software company is the total lock-in. Here's the logic: Assume, for example, that you have 100 people in a company using MS Office at a cost of $500 each. If it cost the company less than $50,000 to switch to Open Office, they would. If it cost the company more than $50,000, Microsoft would increase its prices.

Mostly, companies increase their lock-in through security mechanisms. Sometimes patents preserve lock-in, but more often it's copy protection, digital rights management (DRM), code signing or other security mechanisms. These security features aren't what we normally think of as security: They don't protect us from some outside threat, they protect the companies from us.

Microsoft has been planning this sort of control-based security mechanism for years. First called Palladium and now NGSCB (Next-Generation Secure Computing Base), the idea is to build a control-based security system into the computing hardware. The details are complicated, but the results range from only allowing a computer to boot from an authorized copy of the OS to prohibiting the user from accessing "unauthorized" files or running unauthorized software. The competitive benefits to Microsoft are enormous (.pdf).

Of course, that's not how Microsoft advertises NGSCB. The company has positioned it as a security measure, protecting users from worms, Trojans and other malware. But control does not equal security; and this sort of control-based security is very difficult to get right, and sometimes makes us more vulnerable to other threats. Perhaps this is why Microsoft is quietly killing NGSCB -- we've gotten BitLocker, and we might get some other security features down the line -- despite the huge investment hardware manufacturers made when incorporating special security hardware into their motherboards.

In my last column, I talked about the security-versus-privacy debate, and how it's actually a debate about liberty versus control. Here we see the same dynamic, but in a commercial setting. By confusing control and security, companies are able to force control measures that work against our interests by convincing us they are doing it for our own safety.

As for Apple and the iPhone, I don't know what they're going to do. On the one hand, there's this analyst report that claims there are over a million unlocked iPhones, costing Apple between $300 million and $400 million in revenue. On the other hand, Apple is planning to release a software development kit this month, reversing its earlier restriction and allowing third-party vendors to write iPhone applications. Apple will attempt to keep control through a secret application key that will be required by all "official" third-party applications, but of course it's already been leaked.

And the security arms race goes on ...

This essay previously appeared on Wired.com.

EDITED TO ADD (2/12): SlashDot thread.

And critical commentary, which is oddly political:

This isn’t lock-in, it’s called choosing a product that meets your needs. If you don’t want to be tied to a particular phone network, don’t buy an iPhone. If installing third-party applications (between now and the end of February, when officially-sanctioned ones will start to appear) is critically important to you, don’t buy an iPhone.

It’s one thing to grumble about an otherwise tempting device not supporting some feature you would find useful; it’s another entirely to imply that this represents anti-libertarian lock-in. The fact remains, you are free to buy one of the many other devices on the market that existed before there ever was an iPhone.

Actually, lock-in is one of the factors you have to consider when choosing a product to meet your needs. It's not one thing or the other. And lock-in is certainly not "anti-libertarian." Lock-in is what you get when you have an unfettered free market competing for customers; it's libertarian utopia. Government regulations that limit lock-in tactics -- something I think would be very good for society -- is what's anti-libertarian.

Here's a commentary on that previous commentary. This is some good commentary, too.

This all goes back to the simple fact that all DRM is based on encryption, and that it’s illogical to give someone the decryption key that is required to enable what the media industry views as authorized behavior (media playback) without expecting someone else to utilize that decryption key for other behavior, such as making Fair Use backups or sharing it on a P2P network. 

Encryption is defined as the science and study of secret writing.  What is it that the media industry is trying to keep secret?  While we may want I Now Pronounce You Chuck and Larry and Who’s Your Caddy to be some sort of secret internal referendum on the crap the entertainment industry regularly produces, we have to assume from their actions (theater release inevitably followed by mass DVD production) that they are proud of their works and wish to share them with the entire world.

They worried about piracy with VHS, and it turns out that may have in fact saved Disney and launched an entire consumer market for home video.  They worried about it with DVD’s, which have brought in billions of dollars to the media industry despite the fact that CSS was broken in 1999.  Their fear and illogical behavior impedes and irritates their consumers while having absolutely no effect on the spread of piracy (which they could easily defeat should they ever focus on the simple economics and technology of the pirating industry).

I would be happier if the media industry and the TSA were sadistic rather than incompetent.  It would be comical to see these two groups meeting for the first time over drinks trying to one up each other:

“We made a list comprised of thousands of names.  If you fly and your name is even remotely similar to one on the list, we do extra searches…every time you fly….over and over again.  The kicker is we let anyone with Photoshop and a printer board under any name they want.”

“Oh yeah, well we sell malleable $.05 pieces of plastic for $20 and when it gets scratched or stolen, we force them to buy a new one because we don’t allow them to make backups.  Even though anyone with technical skillz can download the same thing for free.”

“Oh yeah, well we found a way to make people who can’t even change at the gym without flip flops walk around barefoot in public.  We tell them we’re screening for bombs and they just go with it.  The terrorist can still strap whatever they need to their leg, just not their shoes.”

“We installed rootkits on people’s PC without their knowledge.”

 “We banned water and baby food.”

 “We sue the people who love our products the most.”

“We detain babies.”

“We…damn you!  Stop playing the baby card, that’s not fair!”

The 14th episode of The Silver Bullet Security Podcast features Peter Neumann, designer of the Multics OS file system, moderator of comp.RISKS, and Principal Scientist at the SRI Computer Science Laboratory. In this show, Gary and Peter discuss the most important changes in computer security since the 1960s, the discipline involved in early Multics engineering (”nodody writes a line of code without the approving authorities [having] read and understood the specification”), why DRM is the “wrong solution to the wrong problem,” and who was more interesting to meet: Albert Einstein or Norah Jones.

• Peter Neumann
• comp.RISKS
• Computer-Related Risks
• Multics
• A General-Purpose File System For Secondary Storage - Peter’s 1965 paper on Multics
• Multics History Project
• The Brooklyn Boogaloo Blowout

While I would love for Congress to fix our copyright laws, I regard the notion as fantasy.  They don’t appear capable of fixing any complicated issue and tend to muddy the waters making any situation worse off than when they began.  Secondly, the media industry will either collapse under the weight of their archaic business model or realize the impossibility of DRM and move in another direction.  Either of which nullifies the issue.

DRM is impossible due to the fact that it falls under the BORA (break once run anywhere) principle.  This principle is understood thoroughly by those of us in the security industry.  When analyzing a threat, if it’s determined that an entity could be compromised once and then be exploited globally, you are faced with two choices: restrict access to the entity by limiting and hardening access points or decrease the exploitability of the entity once compromised.

Many industries have fought BORA, which is akin to fighting gravity.  I can think of three this morning, namely the software, credit card, and media industries.  It’s infuriating to think of all the revenue lost and the exorbitant externalities bore by an unassuming public all because these industries couldn’t understand simple logic.  This is especially true when the solution requires only a trivial leap of faith.  

The credit card industry is by far the clearest example of an industry that came to terms with the BORA principle.  Quite frankly, they delayed the success of ecommerce by about 5 years.  I’ll even go so far as to say that we would not have had a dotcom bubble if not for their foolishness.

In 1992, credit card fraud was at its peak (15.7 cents per $100 charged) due to fraudsters becoming more advanced.  The internet allowed people with similar interests who would have never came into contact in the physical world to find one another digitally.  Fraudsters were able to share information and increase the sophistication of scams long before e-commerce was a reality.

Faced with a bleak economic picture, the credit card industry became paralyzed by fear as they imagined credit card numbers floating unprotected through cyber space.  For 6 years their agenda was to spread fear in the hopes consumers (and brick and mortar retailers) wouldn’t embrace ecommerce until they created a process by which credit card numbers couldn’t be stolen online.

Their fear clouded their ability to approach the problem logically.  If a credit card can easily be cloned by your waiter at a restaurant, then why protect the same card during an online transaction?  Or better yet, why protect individual transactions while every brick and mortar retailer has a record of each credit card used for purchases?  As a criminal you target the warehouse, the delivery truck, the retailer, but never a single customer.

The history of ecommerce between 1992 through 1997 is fairly interesting and comical.  The failure to realize what seems obvious today is not the fault of a single company.  There were over 30 dotcom companies that were created during this period, all vying to be the payment processor for not only the web, but literally the future.  In 1994, Visa and MasterCard turned to Microsoft and Netscape, respectively, for solutions.  As any company would, these tech giants devised schemes that benefited them rather than serve the needs of their clients.

Fortunately for Visa and MasterCard, CNP (card not present) transactions were already allowed for mail order catalog purchases.  Despite their fear campaign and merchant agreements that left stores 100% liable for fraud, companies like Amazon accepted the increased risk and allowed the credit card industry to ultimately be successful.  By 1998, Visa’s sales volume had tripled which cut fraud as a percentage nearly in half. 

Credit cards went from being used for credit to being used for convenience (what they were originally designed for in the 1950’s when the banking system was fractured).  This was a massive shift in the financial industry.  Comparing one’s own experiences in the checkout line at a grocery store in 1992 and 2002 tells the story.  It went from checks and cash to plastic.  Even the stigma of credit cards is completely different today.  College students can’t survive without credit cards, a far cry from when they were counseled not to have one. 

With this shift, credit card companies began focusing on preventing fraudulent transactions.  By using two sets of data, one for CNP and the other for in-store transactions, they were able to prevent cards that were cloned from being used on the web, and card numbers stolen on the web from being used in person.  The other advent was address verification, which among other things allowed retailers (who are liable for fraud) to prevent highly liquid assets from being shipped to any address other than where the statements are delivered.

They then began to promote ecommerce as if they never said anything bad about it in the first place.  Consumers were given zero fraud guarantees which created a perception of little to no risk.  It wasn’t long before traditional brick and mortar retailers rushed to the web, displacing overnight dotcom sensations which lacked feasible business models.  Finally in 2003, we were at point that could have been accomplished in 1998. 

There are many parallels between what the credit card industry went through and where the media industry finds itself today.  Instead of focusing on preventing the Fair Use of their content, they should instead deliver it through open mediums creating additional revenue streams while increasing the popularity of their product.  Piracy can be handily defeated, not through the legal system but rather through a firm understanding of the economics of the environment. 

Today, credit card companies are at the peak of their success.  In 2004, the fraud rate for credit cards dropped to an all time low of 4.7 cents per $100, while setting records for volume and profits.  I know for a fact the same thing can be accomplished in the media industry because I’ve studied it.  All it will take is a trivial leap of faith.

-Eric Marvets