Bubble Boy

Kjell Wooding | 2001-11-06

You know the bubble boy. The kid who lives in a bubble all his life. He's not exposed to diseases of any kind. If for any reason he leaves the bubble, he catches the first disease that comes along, and promptly dies. That's the Internet. Or at least, that's what the Internet infrastructure is gonna be like soon.

The Bill

In case you missed it, the Dubya recently signed the USA Patriot Act into law. The name of this bill alone should have set off warning bells across that nation. Let's see. I have a bill that contains some pretty contentious stuff. I want to get it passed without any serious debate. I know, I'll title it so that that anyone voting No is clearly a filthy, un-American traitor! Brilliant!

Analysis of the PATRIOT Bill

Excerpt from the EFF Analysis

Dramatic increases to the scope and penalties of the Computer Fraud and Abuse Act.

This includes:

  1. raising the maximum penalty for violations to 10 years (from 5) for a first offense and 20 years (from 10) for a second offense;
  2. ensuring that violators only need to intend to cause damage generally, not intend to cause damage or other specified harm over the $5,000 statutory damage threshold;
  3. allows aggregation of damages to different computers over a year to reach the $5,000 threshold;
  4. enhance punishment for violations involving any (not just $5,000) damage to a government computer involved in criminal justice or the military;
  5. include damage to foreign computers involved in US interstate commerce;
  6. include state law offenses as priors for sentencing;
  7. expand definition of loss to expressly include time spent investigating, responding, for damage assessment and for restoration.

The Patriot bill does a lot of things, not the least of which is give the US Government the right to spy on its citizens' Internet activities without a warrant, and to force anyone convicted of a violent crime to place their DNA in a central database. I'm not sure, but I think at least one of those topics should have generated at least a little debate. In addition to these pesky little Rights and Freedoms issues, however, this act also puts the most minor of computer-related crimes on par with terrorism.

Terrorist Acts

Terrorist acts are defined as large-scale attacks against our infrastructure. The power grid. The phone network. Cellphones are even a candidate here, but the Internet? “I can't get to Yahoo” is on par with blowing up California's power plants? Terrorist acts are designed to provoke widespread fear and panic. Is waking up and discovering that your Web Site has been defaced going to make you afraid to send your children to school?

Think about this. Some idiot 12-year old sends out mail with the contents:

To: dumbass@wherever.com
From: “A trusted source” <satan@hackyourass.net>
Subject: This is not a virus!

This is not a hoax. Run the attached program called format_my_hard_drive_and_mail_myself to_all_your_friends.exe to see Anna Kournikova naked.

So you click on this, and suddenly, the neighbour's kid is a terrorist. Personally, I think they'd be locking the wrong person away.

Actually, this could explain some things. Evil terrorist script kiddies made all those fine, upstanding, American e-commerce companies unprofitable. It was an attack on our infrastructure! It had nothing to do with nonsensical business plans, or the new economy.

Uh-huh.

As much as I hate to admit it, being a good little geek and all, I think it may be a bit early to consider the Internet part of our core societal infrastructure. It seems to me that this superhighway is more like a dirt road.

Where's the Beef?

My real beefs with this act, and similar ones being considered around the word are threefold. First, these bills are getting fast tracked through their respective Congresses and Parliaments with a yellow post-it on top saying “Don't think about it – Vote Yes.” The terrorist card is a great one to play here. If you disagree, we start calling you Osama.

Second, everyone and their dog is tacking on their pet piece of legislation. DNA samples for violent offenders? I'm not a big fan of rapists either, but what is this doing in the terrorism bill? And what good is DNA from a suicide bomber going to do, anyway? Changes in how $5,000 in damages is calculated for computer crimes? If the crime is hovering around the $5,000 mark, including “time spent investigating, responding, for damage assessment and for restoration,” then I'm pretty sure we can rule out terrorism. In fact, I'm pretty sure the crime should have the word petty in it.

Finally, and this is the real kicker, these and other laws relating to technology, are all written by 60 year old grey hairs who just haven't ”been able to get the hang of them computer things yet.” Of course they're wary of terrorist hackers. They're terrified of the computers that they sit behind.

What good is DNA from a suicide bomber going to do, anyway?

Basically, we're building a system where if you think damaging thoughts about a computer system, you go to jail. How could that possibly be bad for our Internet “Infrastructure,” you ask? Hold that thought for a sec.

The Other Bill

Scott Culp, of Microsoft's Security Response Centre, has recently called for an end to Information Anarchy. In his parlance, Information Anarchy is something that this ex-security professional used to call Full Disclosure.

Information Anarchy

Scott Culp, Manager Microsoft Security Response Center, in a recent technet article

“an administrator doesn't need to know how a vulnerability works in order to understand how to protect against it, any more than a person needs to know how to cause a headache in order to take an aspirin.”

And the ominous conclusion:

“For its part, Microsoft will be working with other industry leaders over the course of the coming months, to build an industry-wide consensus on this issue. We'll provide additional information as this effort moves forward, and will ask for our customers' support in encouraging its adoption. It's time for the security community to get on the right side of this issue.”

Oh I'm sorry - is that your arm I'm twisting?

Let's think for a second what Scott is proposing here: “shut up and pop that pill.” Don't you think that perhaps the person with the headache ought to be asking why his head is hurting? Patching holes without discussion of the underlying problem is like bailing out a boat without looking for the leak. And to claim that system administrators don't need to understand the vulnerabilities that they need to protect their systems from, well that's just dumb. Anyone remember CERT Advisories? Did anyone really find it useful to be notified of a vendor patch one year after the problem appeared in the wild?

Vendors treat vulnerabilities as a marketing problem. As a shareholder, I would expect no less. As a system administrator, however, I need more. But I've said this all before. What's new is that now I'm facing down both my favorite monopolist, and the US Congress.

So, we slap script kiddies with sentences rapists would be wary of, we stop everyone from talking about vulnerabilities and exploits, and trust our vendors to keep us safe from harm and bad press. We build a great big bubble around our Internet infrastructure, and trust that everything will be okay. Basically, we legislate away the hacker attacks, and keep those pesky “White Hats” from talking.

And then the entire Internet falls to a mighty terrorist attack, based on a vulnerability that we didn't know was there. Unlike the vulnerabilities of old - this one has a malicious payload. This one wipes hard drives and fries BIOSes. The bubble bursts, and the Internet dies.

Makes you sort of wish you had your script kiddies back, doesn't it?

Kjell Wooding

Tuesday, November 6, 2001
PD DXX

pintday.org » Fresh every Tuesday.