[fc-discuss] Financial Cryptography Update: Security Software faces rising barriers

iang@iang.org iang@iang.org
Fri, 7 Oct 2005 11:24:18 +0100 (BST)

 Financial Cryptography Update: Security Software faces rising barriers 

                            October 07, 2005




Signs abound that it is becoming more difficult to do basic security
and stay clean oneself.  An indictment for selling software was issued
in the US, and this opens up the pandora's box of what is reasonable
behaviour in writing and selling.


 Can writing software be a crime?
 By Mark Rasch, SecurityFocus (MarkRasch at solutionary.com)
 Published Tuesday 4th October 2005 10:05 GMT

 Can writing software be a crime? A recent indictment in San Diego,
 California indicates that the answer to that question may be yes. We
 know that launching certain types of malicious code - viruses, worms,
 Trojans, even spyware or sending out spam - may violate the law. But
 July 21, 2005 a federal grand jury in the Southern District of
 indicted 25 year old Carlos Enrique Perez-Melara for writing,
 and selling a computer program called "Loverspy," a key logging
 designed to allow users to capture keystrokes of any computer onto
which it
 is installed. The indictment raises a host of questions about the
 criminalization of code, and the rights of privacy for users of the
 Internet and computers in general.

We all might agree that what the defendent is doing is distasteful at
some level, but the real danger here is that what is created as a
precedent against key loggers will be used against other things.  Check
your local security software package list, and mark about half of them
for badness at some level.  I'd this is as so inevitable that any
attention paid to the case itself ("we need to stop this!") is
somewhere between ignorance and willful blindness.

On a similar front, recall the crypto regulations that US security
authors struggle under.  My view is that the US government's continuing
cryptopogrom feeds eventually into the US weakness against cyber
threats, so they've only themselves to blame.  Which might be ok for
them, but as software without crypto also effects the general strength
of the Internet at large, it's yet another case of society at large v.
USG.  Poking around over on PRZ's xFone site I found yet another
development that will hamper US security producers from securing
themselves and us:


Downloading the Prototype

Since announcing this project at the Black Hat conference, a lot of
people have been asking to download the prototype just to play with it,
even though I warned them it was not a real product yet. In order to
make it available for download, I must take care of a few details
regarding export controls. After years of struggle in the 1990's, we
finally prevailed in our efforts to get the US Government to drop the
export controls in 2000. However, there are still some residual export
controls in place, namely, to prevent the software from being exported
to a few embargoed nations-- Cuba, Iran, Libya, North Korea, Sudan, and
Syria. _And there are now requirements to check customers against
government watch lists as well, which is something that companies such
as PGP have to comply with these days._ I will have to have my server
do these checks before allowing a download to proceed. It will take
some time to work out the details on how to do this, and it's turning
out to be more complicated than it first appeared.

Shipping security software now needs to check against a customer list
as well?  Especially one as bogus as the flying-while-arab list?  Phil
is well used to being at the bleeding edge of the crypto distribution
business, so his commentary indicates that the situation exists, and he
expects to be pursued on any bureaucratic fronts that might exist. 
Another sign of increasing cryptoparanoia: 

The proposal by the Defense Department covers "deemed" exports.
According to the Commerce Department, "An export of technology or
source code (except encryption source code) is 'deemed' to take place
when it is released to a foreign national within the United States."

The Pentagon wants to tighten restrictions on deemed exports to
restrict the flow of technical knowledge to potential enemies.

A further issue that has given me much thought is the suggestion by
some that security people should not break any laws in doing their
work.  I saw an article a few days back on Lynn's list, now lost, that
described how the FBI cooperates with security workers who commit
illegal acts in chasing bad guys (in this case extortionists in
Russia).  They say things like "we can't possible suggest that illegal
act and we would never do it ourselves ... but we'd be grateful to
share any results from it."

What a contrast to the view that security workers should never commit a
"federal offence" in doing their work.

I find the whole debate surrealistic as the laws that create these
offences are so broad and sweeping that it is not clear to me that a
security person can do any job without breaking some laws;  or is this
just another sign that most security people are more bureaucrats than
thinkers?  I recently observed a case where in order to find some
security hardware, a techie ran a portscan on a local net and
hard-crashed the very equipment he was looking for.  In the ensuing hue
and cry over the crashed equipment (I never heard if they ever
recovered the poor stricken device...), the voice that was heard
loudest was that "he shouldn't be doing that!"	The voice that went
almost unheard was that the equipment wasn't resiliant enough to do the
job of securing the facility if it fell over when a mere port scan hit

Barriers are rising in the security business.  Which is precisely the
wrong thing to do;  security is mostly a bottom-up activity, and making
it difficult for the small players and the techies at the coalface will
reduce overall security for all.  The puzzling thing is why other
people do not see that;  why we have to go through the pain of
Sarbanes-Oxley, expensive CA models, suits against small software
manufacturers, putting software tool-makers and crypto protocol
designers in jail and the like in order to discover that inflexible
rules and blind bureaucracy have only a limited place to play in

Powered by Movable Type
Version 2.64