[fc-discuss] Financial Cryptography Update: Security Professionals Advised to Button Lips

iang@iang.org iang@iang.org
Tue, 25 Oct 2005 22:43:39 +0100 (BST)

 Financial Cryptography Update: Security Professionals Advised to Button Lips 

                            October 25, 2005




Nick pointed me to his Cuthbert post, and I asked where the RSS feed
was, adding "I cannot see it on the page, and I'm not clued enough to
invent it."  To which he dryly commented "if you tried to invent it
you'd arguably end up creating many "unauthorized" URLs in the

Welcome to the world of security post-Cuthbert.  He raises many points:

Under these statutes, the Web equivalent of pushing on the door of a
grocery store to see if it's still open has been made a crime. These
vague and overly broad statutes put security professionals and other
curious web users at risk. We depend on network security professionals
to protect us from cyberterrorism, phishing, and many other on-line
threats. These statutes, as currently worded and applied, threaten them
with career ruin for carrying out their jobs. Cuthbert was convicted
for attempting to determine whether a web site that looked like British
Telecom's payment site was actually a phishing site, by adding just the
characters "../.." to the BT site's URL. If we are to defeat phishing
and prevent cyberterrorism, we need more curious and public-spirited
people like Cuthbert.

Meanwhile, these statutes generally require "knowledge" that the access
was "unauthorized." It is thus crucial for your future liberty and
career that, if you suspect that you are suspected of any sort of
"unauthorized access," take advantage of your Miranda (hopefully you
have some similar right if you are overseas) right to remain silent.
This is a very sad thing to have to recommend to network security
professionals, because the world loses a great deal of security when
security professionals can no longer speak frankly to law-enforcement
authorities. But until the law is fixed you are a complete idiot if you
flap your lips.

Point!	I had not thought so far, although I had pointed out that
security professionals are now going to have to raise fingers from
keyboards whenever in the course of their work they are asked to
"investigate a fraud."

Consider the ramifications of an inadvertant hit on a site - what are
you going to do when the Met Police comes around for a little chat? 
Counsel would probably suggest "say nothing."  Or more neutrally, "I do
not recollect doing anything on that day .. to that site .. on this
planet!" as the concept of Miranda rights is not so widely encouraged
outside the US.  Unfortunately, the knock on effect of _Cuthbert_ is
that until you are appraised of the case in detail - something that
never happens - then you will not know whether you are suspect or not,
and your only safe choice is to keep your lips buttoned.

Nick goes on to discuss ways to repair the law, and while I agree that
this would be potentially welcome, I am not sure whether it is
necessary.  Discussion with the cap-talk people (the most scientific
security group that I am aware of, but not the least argumentive!) has
led to the following theory:  the judgement was flawed because it was
claimed that the access was unauthorised.  This was false. 
Specifically, the RFC authorises the access, and there is no reasonably
theory to the alternate, including any sign on the site that explains
what is authorised and what not.  The best that could be argued - in a
spirited defence by devil's advocate Sandro Magi - is that any link not
provided by the site is unauthorised by default.

In contrast, there is a view among some security consultants that you
should never do anything you shouldn't ever do, which is more or less
what the "unauthorised" claim espouses.  On the surface this sounds
reasonable, but it has intractable difficulties.  What shouldn't you
ever do?  Where does it say this?  What happens if it *is* a phishing
site?  This view is neither widely understood by the user public nor
plausibly explained by the proponents of that view, and it would appear
to be a cop-out in all senses.

Worse, it blows a hole in the waterline of any phishing defence known
to actually work - how are we going to help users to defend themselves
if we are skating within cracking distance of the thin ice of
_Cuthbert_?  Unfortunately, explaining why it is not a rational theory
in legal, economic or user terms is about as difficult as having an
honest discussion about phishing.  Score Cuthbert up as an own-goal for
the anti-phishing side.

Powered by Movable Type
Version 2.64