Spaf, can you tell us about the work you do in relation to information security, computer crime investigation, and information ethics? What prompted you to enter this field?
Well, I have a number of roles. First and foremost, I am a professor here at Purdue University. I teach courses in information security. I also advise graduate students (at the MS and PhD levels) as they do thesis work and research in infosec, cyber forensics, and security policy. I also have some undergraduates doing advanced research work, for course credit or general experience.
As the executive director of CERIAS, I am involved with a broad range of activities. I am involved in the operational details of the center, with funding of our effort, and with support of other projects on campus that require some input as regards information security. I'm involved with about 80% of the activities of the Center directly, and the other 20% indirectly.
There are three major foci to what I do at the center beyond the administrative. First, I am trying to find new opportunities to encourage our faculty around campus to address problems in infosec, information assurance, cybercrime investigation, cyber ethics, and related topics. This means learning what they're doing, introducing them to each other and to outside personnel, and otherwise trying to find ways to make it easier for them to make progress in the area. Second, I'm involved in increasing our educational offerings. This means creating and administering our multidisciplinary MS program in infosec, helping other departments get new course offerings in place, and some involvement in helping to hire new faculty. The third area is in outreach and public engagement. Here I'm working with lots of people on and off campus to set up technology transfer, continuing education and certification programs, and information resources thru our WWW site. Over the last year we've also sponsored a couple of small conferences, a bunch of workshops and presentations, and some publications. We've worked with state offices on new legislation for privacy and security. And we've worked with state and local agencies to help them audit and secure their systems.
Outside of Purdue, I am involved on a number of advisory boards and committees where I am trying to help others grow and enhance their programs, or where we are trying to provide information to help policymakers develop better positions.
This academic year I have also been a part-time senior advisor at NSF on cybersecurity and cybercrime programs.
Short version: I got into all of this because I was fascinated by the reliance people have on computing. I started off doing research on issues related to fault-tolerance because it is clear that when systems fail, the results can be catastrophic and people tend to place too much reliance on the computers. Then for a while I worked in software verification, as a means of trying to keep software from failing. Then I realized that trying to keep others from causing the software to fail was perhaps the ultimate challenge. I've had some luck with my research and results in the field, and so I've been focusing on security technologies for the last decade.
More recently, I am now interested in trying to bring a science basis to the area of cyber forensics. Too much is being done there in an ad hoc manner, and it is really time we devoted some energy to formal foundations.
You recently testified before the Terrorism, Unconventional Threats and Capabilities Subcommittee of the House Armed Services Committee (written, audio). Tell us about that experience.
I've been asked to testify before Congressional committees four times now. Each experience has started with a staffer getting my name from someone in a Federal agency, or another witness who appeared before the committee. The staffer has then contacted me and asked if I would be willing and able to speak on the topic the committee will be considering. Thereafter, an invitation is issued. (As an aside, the tradition is that invitations are only issued if they know that they will be accepted. Thus, they screen the candidates first!)
Once the initial contact is made, I normally only have about 5-7 days to prepare a written statement, and then to produce an oral statement. The written statement needs to be submitted to the staff several days in advance of the testimony. Normally, I write furiously for several days to get a draft, and then I circulate it to a number of my colleagues in the area for comment. I am fortunate that I have many colleagues who are willing to provide good feedback on short notice. I have tried to get several of the statements agreed to in principle by the CRA (Computing Research Association) and the USACM (US Public Policy Committee of ACM) as a way both of verifying that I am saying the right things, and to add some weight to the statement.
I then find my way to DC (Congress doesn't reimburse witness expenses) and await the hearings. I showed up at each about a half-hour before to meet staff. Sometimes friends meet me there.
When the time comes, we are seated at the hearing table in front of mikes and light boxes. When we get our chance to speak, we have only about 5 minutes to make all our major points to the audience, most of whom are not deeply versed in the technology. So, it really needs to be packaged well. The light boxes turn yellow when we have only a little time left, and we have to finish when the red light goes on. As an academic, I can speak on any topic for an hour. Keeping it at 5 minutes is a real challenge! :-)
After that, there are questions from the members. A few questions may be for the benefit of the audience (especially if the proceedings are televised), and several are for the edification of the Congressional staff who are usually listening intently. Sometimes, a question will come from out of left field, though, and those are really fun.
The last couple of times, I got a lot of questions. Some of the other people on the panels were government employees and their agencies had provided official "scripts" they weren't supposed to wander from. I don't have those kind of restrictions. I also have 25 years of teaching experience -- explaining new concepts to audiences -- so my delivery as well as my candor seems to be appreciated and I tend to get lots of questions. I try to answer them in simple terms -- and quickly. In House hearings, each member is allowed only so many minutes for all questions and responses. Thus, a long-winded answer uses up all the time and that isn't appreciated.
It's generally a very positive experience. It's not a hostile hearing as depicted in the movies. It's a case where our elected representatives and their staff are really trying to understand complex issues and do the right thing. They need the input, but sometimes it isn't easy for them to get. I view it as an opportunity to help them understand so they can make the best decisions.
That said, I think the written input provides the best guidance, because the staff can ask written follow-up questions in the following weeks...and they have.
Copies of my written testimonies are available online
In your written statement, you told the Subcommittee, very bluntly: "Legislation against technology instead of against infringing behavior can only hurt our progress in securing the infrastructure." What did you mean?
There are several reasons why. First and foremost, few technologies are inherently bad -- what really matters is who uses them, and how. At its simplest, it is the "Guns don't kill people, people kill people" argument. Many, if not most, technologies have both good uses and bad. IT is particularly an area where the technology is changing so quickly that setting up restrictions now could hamper future lines of inquiry and development that could be of great benefit later on.
A second reason is that law can be enacted broadly, interpreted in unexpected ways, and then applied in unfortunate ways. This is especially true when we are dealing with complex technical issues where the lawmakers may not understand the ramifications of their legislation. The DMCA is a good example of this -- it actually puts constraints on legitimate R&D in reverse engineering, for instance. Thus, several of us in the community will not pursue research on tools that could otherwise be used to take apart viruses and hacker toolkits. It's not that we're afraid that the Justice Department might prosecute us (although the law allows that, the possibility is pretty much nonexistant), but it gives private firms a right of action to sue. Ed Felten's experience in this regard has had a chilling effect on the rest of us. It's a bad law, and unfortunately, Congress is under too much pressure from the RIAA and similar organizations to actually fix it. The last thing we need are more laws like this, with unexpected, overbroad impacts.
Last of all, I think it shifts the blame for problems that occur in economics, law and human society onto IT, and that isn't right. We should be addressing the real problems rather than their manifestation. After the Enron and Worldcom scandals we didn't see calls to outlaw telephones, adding machines and shredders, did we? That's because the lawmakers understood the role of those technologies and saw that they were not the cause of the bad behavior. If we really want to secure our infrastructure then we need to pursue solutions to the problems, not proscribe technology that is involved.
We've recently seen two major viruses hit the Internet-Blaster and SoBig. What do you think of them? In what ways are they distinctive?
I have ceased to study these emerging forms of worm/virus/etc. They all generally exploit the same underlying weaknesses (poor code, poor controls, and poor user understanding of their systems). They generally only differ in small details. Some of my colleagues follow these, so I know who to call on if I need information.
What do you think about the recent connection/convergence between spammers and virus-makers?
It was predictable. It is also disturbing because we have had so little success in addressing either threat separately. The combination means there is now a profit motive for the virus writers to get more devious. It also means they will be able to afford better testbeds. It also suggests that we will have a more difficult time shutting down the spammers because we will have more trouble tracing them.
The next element to enter the fray in a more major way are the organized crime gangs. It has started in Europe, but we haven't seen it really take off yet. With money to be made and an operation outside the legal system, this appears to be a natural evolutionary step. Watch for viruses being targeted against multinational firms that don't pay protection money, or that focus on disrupting counter-narcotrafficing operations.
It seems very unlikely that law enforcement authorities will apprehend those responsible for most viruses. The number of virus creators caught during the last few years-Chen Ing-hau (Chernobyl), "Mafia Boy" (DoS'ed Amazon, eBay, and Yahoo!), Onel de Guzman (ILOVEYOU), Jan De Wit (Anna Kournikova), David Smith (Melissa), and Simon Vallor (Gokar, Redesi, and Admirer)-are very small given that estimates suggest that some 60,000 viruses are in circulation. Why do we catch so few?
Lots of reasons. Lack of resources and tools. Too many viruses. Lack of good record-keeping. Transborder law enforcement issues. Lack of laws in some jurisdictions. And perhaps other priorities for law enforcement.
The authors of the viruses are not necessarily the ones we need to catch, however. Some authors are quite public about writing them. It is the releasing of them that is the real problem, and there is a disconnect between many authors and the release of their viruses. For instance, there are many authors who post their latest creation on virus exchange WWW sites with notes like "This would be nasty -- don't release this in the wild." Of course, someone often does. There are certainly some first amendment grounds in the US why the posting of the source isn't strictly illegal; the laws that we have cover the release and spread of the viruses. It's not illegal for me to publish a book on explosives, but it is clearly against the law for me to actually formulate some and set them off!
I wonder why there have been no civil lawsuits yet against these authors and the people who operate the WWW sites. If someone wrote a book on how to kill people with homemade poison, and someone bought the book and used the information to kill people, the author and publisher would not be subject to criminal prosecution. However, they might well be sued in civil court for damages. The arguments against this have been that it would drive the authors underground (perhaps), and that most of the authors have so little to lose that such suits are meaningless (possibly).
I think one of the biggest issues is the sheer number of viruses hitting us each week. Which ones should we focus on? There is too much "noise" because it is so simple to write an effective virus/worm/etc. To make investigation easier to conduct and prioritize, we need to raise the bar so that these are rare events.
With the thousands of viruses currently in existence, how does the government determine which virus-makers to track down? How well do agencies in different countries collaborate?
I'm not privy to that information. My understanding is that cooperation is great between some countries and awful between others. If a virus is released from a site in Iran or China, I wouldn't expect that there would be close cooperation between the national agencies in those countries and the FBI....especially if the virus has a political message embedded in it. On the other hand, cooperation among the US, Canada, the UK, NZ and Australia are likely to be quite good.
Do extant criminal laws deal satisfactorily with the problem of viruses? How might they be improved?
See my answers, above. I do not think more laws against viruses and their authors will lead to any fixes.
I really think the solution involves fixing some of the known problems in the platforms. Some systems are immune to these viruses, for instance.
A decade ago, many of us working in security were talking about these problems, and how to avoid or mitigate them. Unfortunately, major vendors did not pick up on what we recommended.
So long as false convenience and poor design are more important to the average user than security and safety then we are going to have problems.
Some people have even suggested that a bounty system might facilitate the apprehension of virus-makers. Would a bounty system likely be effective? Could it help significantly to reduce demands on prosecutors' time? Or could it create a shady underworld of its own?
I doubt it would help much. It could create other problems. I really don't have enough information to know what would happen, but I doubt it would help much in the long run. The fundamentals of how systems work need to be addressed, first.
Many people want their ISPs to protect them from viruses. How might ISPs provide more satisfactory virus protection? In a world where few people technically inclined (witness the otherwise incomprehensible popularity of AOL), should ISPs take more responsibility?
There are lots of things ISPs could do, including virus filtering, firewalls, egress filtering (to cut down on DDOS), and offering vulnerability scanning. However, the ISPs haven't yet decided that it might be a competitive advantage to make them money. There is also a concern, I'm told, that if they put in technology to monitor content for viruses, they are concerned that governments could begin forcing them to monitor for content that was offensive according to country A and law B and ethnic group C and..... This would really be a nightmare for them, and for the operation of the networks as a whole.
Why do you believe people create viruses? Virus making violates the unwritten moral code of hackers, and clearly has the potential to disrupt many critical services-like those provided by hospitals, emergency call centers, and fire departments.
There are lots of motives. Intellectual curiosity. Bragging rights. A sense of revenge against someone. A sense of empowerment. Political reasons. Competition. Mental defect. And of course now we are seeing a profit motive for some of the viruses. Accounts from various authors disclose at least this range of motives. Sara Gordon of Symantec has been studying this scene for years and I recall her saying that there is no single motive or class of related motives that can be ascribed to any majority of these people.
Many of the authors do not understand the potential disruption, especially some of the younger ones. Few people really have any idea of the scope or reach of the Internet, nor do they have any idea of the real effects they might cause. What they see is what appears on their screen -- for them, the Internet is whatever is behind their monitor.
Virus writers and the traditional hacker community don't overlap much, so the "unwritten code" (which is increasingly ignored by the "hackers" ) doesn't really apply here.
Are virus-makers getting younger and younger because of the recent proliferation of virus-making kits and online tools? Or do the media fixate disproportionately on those who are younger?
I don't have data on this. I tend to believe it is a media effect. The ones now writing the sophisticated worms with the spamming and political components are clearly not at the most youthful end of the spectrum.
How might society target prospective virus-makers early and re-channel their energies?
I think we need to start educating all our children that hacking, virus writing, and other on-line behaviors are neither "cool" nor indicators of genius. We teach them not to make prank calls or spraypaint their names on the neighbor's cars, even though they have access to the phone and to the paint. The media doesn't portray such vandals as stars. It is a combination of social norms and peer pressure that needs to be cultivated to make a real difference.
If we could cut out the bulk of the nuisance cases both of hacking and of virus writing, then perhaps we could be more effective from a law enforcement perspective of catching the really malicious ones and making a public statement with their arrests. Right now, there is too much "noise" because the systems are so poorly designed and we have done such a poor job as a society in making it clear that this is unacceptable, rude, destructive behavior. So we are overwhelmed with attacks. When there is a full-fledged riot going on, getting a few kids out of the crowd to go pick up litter doesn't really help, right?
In light of the wanton destruction that virus-makers wreak on individuals' computers, is it going to be possible to reclaim the term "hacking" as a label for something admirable?
I don't see how that can happen in the near future.
Can you tell us about any especially interesting consulting projects in which you've been involved?
Well, the really interesting projects are ones I'm not allowed to talk about. One of the reasons I get asked to do interesting things is that I can be trusted to not talk about them afterwards. So, I'd rather leave it at that so I continue to get asked to do interesting and amusing things for intriguing clients. Of course, I don't really have time for many such things anymore, but just in case. ;-)
What advice do you have for geeky legal types who want to become involved in the prevention, investigation, or prosecution of computer-related crimes?
That depends on how much time they can spare, and what technical background they might have. If they have the resources, then pursuing courses in computer science -- up to and including a full MS -- would help understand the technology.
Reading one of the recent books on computing and law from the computer science point of view might help them gain some understanding. Here are a few I have seen recently that I can recommend:
My understanding is that the American Bar Association also has a working group on this general topic, and that they have some educational outreach programs. I don't know the details.
We're (CERIAS) hoping to gear up for some form of summer institute in this area starting in 2005. You can check back with us in the spring of 2005.
Can you recommend any books or articles that might be especially valuable for those interested in the links between computing and law, philosophy, and ethics?
The ACM has a Computers & Society special interest group with a nice newsletter that is worth reading. The USACM does a lot of work in this area, and we try to keep our WWW site up-to-date with various pointers. CPSR and EFF also work in this area, although their focus sometimes seems rather one-sided to some people.
I'd recommend a subscription to the Risks Digests, or its Usenet equivalent. (See )
There are literally hundreds of other resources to pursue here. I'm not sure what is best to recommend!
As to books, I think the following provide good introductions:
What is your preferred platform-Wintel, Linux, MacOS, or….?
It depends on the application need. No one system (or language or database or...) is ideal for every use. I'm a big believer in using the right tools for the right jobs.
My primary system for user interaction is Mac OS X. I personally have five Macs, and I've been using them since 1985. I happen to prefer Macs as my personal machine, and there is nothing I need to do that I can't do with it. I have written 5 books, serve as an editor on several journals, administer CERIAS business, and answer over 200 email messages a day.
My backend mail and file server machine is a Sun running Solaris. I have been using Unix and Unix-like systems since 1977, so I am very comfortable with them. Having written the canonical security book on Unix and Linux helps. :-)
I have a laptop with OpenBSD, and a Windows tablet PC. My research group is building on FreeBSD. We run some of our internal machines on Windows and some on Linux. I use a Palm handheld, so I also use PalmOS.
I've used about 20 operating systems in my career and written two. I've programmed in over 40 languages. I've tasted about 75 flavors of ice cream. Limiting me to one of each would be a pity.
What is your preferred email client? Virus protection package?
I mostly use Eudora. I sometimes use the Apple Mail client. I also have Virex installed on my Mac, and we have the NAI enterprise virus scanner on our mail server. I also use Tripwire. My mailer automatically rejects any incoming email with attachments that are Windows executable (no one should EVER accept such attachments), and bounce Word and Zip attachments. I use procmail for this on my Unix back end. If someone needs to send me a document, then we can use ftp, or we can negotiate a safer transfer method. During the heights of some of the recent viruses, I was discarding 30Mb of email per day -- all of it viruses. And I should point out -- viruses for Windows. There have been something like 100,000 viruses for MS operating systems, only about 50 for the Mac, and about 3 for commercial Unix systems. That difference isn't because of a difference in the prevalence of the machines -- there are basic architectural differences.
I've never had one of my machines fall victim to a virus. I won't claim it will never happen, but the combination of the Mac and Sun, disallowing incoming attachments, and some prudent caution about unsolicited email and connections seems to be working for me so far. I've been on computer networks of one sort or another since 1977 with nary a virus, and I daresay I get more email than most people.
It isn't that difficult to avoid being a victim. I'm reminded of the old Henny Youngman joke:
"Doctor, it hurts when I do this!"
"Well then, don't do that!"
(Youngman sure did have a great assortment of doctor jokes. My favorite is his "My doctor grabbed me by the wallet and said 'Cough!'" one.)
Thank you for a great interview, Spaf. We look forward to hearing about future CERIAS developments.
Dr. Eugene Spafford was interviewed by Roger E. Rustad, Jr. (scubacudaNO@SPAMiname,com), senior editor of the Berkman Center’s GrepLaw.