[[[NOTE: After 18 years of 216 consecutive monthly columns that have appeared in the inside last page of the Communications of the ACM, the plan for the foreseeable future is that subsequent issues of the CACM will include Inside Risks columns with a reduced frequency -- perhaps three or four a year. I am enormously indebted to the members of my ACM Committee on Computers and Public Policy (Steve Bellovin, Peter Denning, Virgil Gligor, Nancy Leveson, Dave Parnas, Jerry Saltzer, and Lauren Weinstein), whose diligent oversight and incisive interactions have helped make these columns relevant, timely, and interesting, and hope that we may continue this effort in the future. PGN]]]
NOTE: Reuse for commercial purposes is subject to CACM and author copyright policy.
Inside Risks 218, CACM 52, 6, June 2009
Millions of patients benefit from programmable, implantable medical devices (IMDs) that treat chronic ailments such as cardiac arrhythmia [6], diabetes, and Parkinson's disease with various combinations of electrical therapy and drug infusion. Modern IMDs rely on radio communication for diagnostic and therapeutic functions -- allowing healthcare providers to remotely monitor patients' vital signs via the Web and to give continuous rather than periodic care. However, the convergence of medicine with radio communication and Internet connectivity exposes these devices not only to safety and effectiveness risks, but also to security and privacy risks. IMD security risks have greater direct consequences than security risks of desktop computing. Moreover, IMDs contain sensitive information with privacy risks more difficult to mitigate than that of electronic health records or pharmacy databases. This article explains the impact of these risks on patient care, and makes recommendations for legislation, regulation, and technology to improve security and privacy of IMDs.
Consequences and Causes: Security Risks
The consequences of an insecure IMD can be fatal. However, it is fair to ask whether intentional IMD malfunctions represent a genuine threat. Unfortunately, there are people who cause patients harm. In 1982, someone deliberately laced Tylenol capsules with cyanide and placed the contaminated products on store shelves in the Chicago area. This unsolved crime led to seven confirmed deaths, a recall of an estimated 31 million bottles of Tylenol, and a rethinking of security for packaging medicine in a tamper-evident manner. Today, IMDs appear to offer a similar opportunity to other depraved people. While there are no reported incidents of deliberate interference, this can change at any time. The global reach of the Internet and the promiscuity of radio communication expose IMDs to historically open environments with difficult to control perimeters [3,4]. For instance, vandals caused seizures in photo-sensitive patients by posting flashing animations on a Web-based epilepsy support group [1].
Knowing that there will always exist such vandals, the next question is whether genuine security risks exist. What could possibly go wrong by allowing an IMD to communicate over great distances with radio and then mixing in Internet-based services? It does not require much sophistication to think of numerous ways to cause intentional malfunctions in an IMD. Few desktop computers have failures as consequential as that of an IMD. Intentional malfunctions can actually kill people, and are harder to prevent than accidental malfunctions. For instance, lifesaving therapies were silently modified and disabled via radio communication on an implantable defibrillator that had passed pre-market approval by regulators [3]. In my research lab, the same device was reprogrammed with an unauthenticated radio-based command to induce a shock that causes ventricular fibrillation (a fatal heart rhythm).
Manufacturers point out that IMDs have used radio communication for decades, and that they are not aware of any unreported security problems. Spam and viruses were also not prevalent on the Internet during its many-decade childhood. Firewalls, encryption, and proprietary techniques did not stop the eventual onslaught. It would be foolish to assume that IMDs are any more immune to malware. For instance, if malware were to cause an IMD to continuously wake from power saving mode, the battery would wear out quickly. The malware creator need not be physically present, but could expose a patient to risks of unnecessary surgery that could lead to infection or death. Much like Mac users can take comfort in that most malware today takes aim at Windows applications, patients can take comfort in that IMDs seldom rely on such widely targeted software for now.
Consequences & Causes: Privacy
A second risk is violation of patient privacy. Today's IMDs contain detailed medical information and sensory data (vital signs, patient name, date of birth, therapies, medical diagnosis, etc.). Data can be read from an IMD by passively listening to radio communication. With newer IMDs providing nominal read ranges of several meters, eavesdropping will become easier. The privacy risks are similar to that of online medical records.
Remedies
Improving IMD security and privacy needs a proper mix of technology and regulation.
Remedy: Technology
Technological approaches to improving IMD security and privacy include judicious use of cryptography and limiting unnecessary exposure to would-be hackers.
IMDs that rely on radio communication or have pathways to the Internet must resist a determined adversary [5]. IMDs can last upwards of 20 years, and doctors are unlikely to surgically replace an IMD just because a less-vulnerable one becomes available. Thus, technologists need to think 20 to 25 years out. Cryptographic systems available today may not last 25 years.
It is tempting to consider software updates as a remedy for maintaining the security of IMDs. Because software updates can lead to unexpected malfunctions with serious consequences, pacemaker and defibrillator patients make an appointment with a healthcare provider to receive firmware updates in a clinic. Thus, it could take too long to patch a security hole.
Beyond cryptography, several steps could reduce exposure to potential misuse. When and where should an IMD permit radio-based, remote reprogramming of therapies (e.g., changing the magnitude of defibrillation shocks)? When and where should an IMD permit radio-based, remote collection of telemetry (i.e., vital signs)? Well-designed cryptographic authentication and authorization make these two questions solvable. Does a pacemaker really need to accept requests for reprogramming and telemetry in all locations from street corners to subway stations? The answer is no. Limit unnecessary exposure.
Remedy: Regulation
Pre-market approval for life-sustaining IMDs should explicitly evaluate security and privacy -- leveraging the body of knowledge from secure systems and security metrics communities. Manufacturers have already deployed hundreds of thousands of IMDs without voluntarily including reasonable technology to prevent the unauthorized induction of a fatal heart rhythm. Thus, future regulation should provide incentives for improved security and privacy in IMDs.
Regulatory aspects of protecting privacy are more complicated, especially in the United States. Although the U.S. Food and Drug Administration has acknowledged deleterious effects of privacy violations on patient health [2], there is no on-going process or explicit requirement that a manufacturer demonstrate adequate privacy protection. FDA itself has no legal remit from Congress to directly regulate privacy. (FDA does not administer HIPAA privacy regulations.)
Call to Action
My call to action consists of two parts legislation, one part regulation, and one part technology.
First, legislators should mandate stronger security during pre-market approval of life-sustaining IMDs that rely on either radio communication or computer networking. Action at pre-market approval is crucial because unnecessary surgical replacement directly exposes patients to risk of infection and death. Moreover, the threat models and risk retention chosen by the manufacturer should be made public so that healthcare providers and patients can make informed decisions when selecting an IMD. Legislation should avoid mandating specific technical approaches, but instead should provide incentives and penalties for manufacturers to improve IMD security.
Second, legislators should give regulators the authority to require adequate privacy controls before allowing an IMD to reach the market. FDA writes that privacy violations can affect patient health [2], and yet FDA has no direct authority to regulate privacy of medical devices. IMDs increasingly store large amounts of sensitive medical information and fixing a privacy flaw after deployment is especially difficult on an IMD. Moreover, security and privacy are often intertwined. Inadequate security can lead to inadequate privacy, and inadequate privacy can lead to inadequate security. Thus, device regulators have the unique vantage point for not only determining safety and effectiveness, but also determining security and privacy.
Third, regulators such as FDA should draw upon industry, the healthcare community, and academics to conduct a thorough and open review of security and privacy metrics for IMDs. Today's guidelines leave so much wiggle room that an implantable cardioverter defibrillator with no apparent authentication whatsoever has been implanted in hundreds of thousands of patients [3].
Fourth, technologists should ensure that IMDs do not continue to repeat the mistakes of history by underestimating the adversary, using outdated threat models, and neglecting to use cryptographic controls [5]. In addition, technologists should not dismiss the importance of usable security and human factors.
Conclusion
There is no doubt that IMDs save lives. Patients prescribed such devices are much safer with the device than without, but IMDs are no more immune to security and privacy risks than any other computing device. Yet the consequences for IMD patients can be fatal. Tragically, it took seven cyanide poisonings for the pharmaceutical industry to redesign the physical security of its product distribution to resist tampering by a determined adversary. The security and privacy problems of IMDs are obvious, and the consequences just as deadly. We'd better get it right today, because surgically replacing an insecure IMD is much harder than an automated Windows update.
[1] Epilepsy Foundation. "Epilepsy Foundation Takes Action Against Hackers." March 31, 2008.
[2] FDA Evaluation of Automatic Class III Designation VeriChip(TM) Health Information Microtransponder System, October 2004. http://www.sec.gov/Archives/edgar/data/924642/000106880004000587/ex99p2.txt
[3] D. Halperin et al. "Pacemakers and implantable cardiac defibrillators: Software radio attacks and zero-power defenses." In Proceedings of the 29th Annual IEEE Symposium on Security and Privacy, May 2008.
[4] D. Halperin et al. "Security and privacy for implantable medical devices. " In IEEE Pervasive Computing, Special Issue on Implantable Electronics, January 2008.
[5] B. Schneier, "Security in the Real World: How to Evaluate Security Technology," Computer Security Journal, 15 (4), 1999. http://www.schneier.com/essay-031.html
[6] John G. Webster, ed. "Design of Cardiac Pacemakers." IEEE Press, 1995.
Kevin Fu (kevinfu@cs.umass.edu) is an assistant professor of Computer Science at the University of Massachusetts Amherst.
========================================================
Inside Risks 217, CACM 52, 2, February 2009
Recounting problems still associated with election integrity and accountability
From the perspective of computer-based election integrity, it was fortunate that the U.S. presidential electoral vote plurality was definitive. However, numerous problems remain to be rectified, including some experienced in close state and local races.
Elections represent a complicated system with end-to-end requirements for security, integrity, and privacy, but with many weak links throughout. For example, a nationwide CNN survey for this election tracked problems in registration (26%), election systems (15%), polling place accessibility and delays (14%). Several specific problems are illustrative.
Registration
* In Cleveland (Cuyahoga County) and Columbus (Franklin County), Ohio, many voters who had previously voted at their current addresses were missing from the polling lists; some were on the Ohio statewide database, but not on the local poll registry, and some of those had even received postcard notification of their registration and voting precinct. At least 35,000 voters had to submit provisional ballots. (Secretary of State Jennifer Brunner had rejected the use of a list of some 200,000 voters whose names did not identically match federal records.) Several other states attempted to disenfranchise voters based on nonmatches with databases whose accuracy is known to be seriously flawed.
Machines
* In Kenton County, Kentucky, a judge ordered 108 Hart voting machines shut down because of persistent problems with straight-party votes not being properly recorded for the national races.
* As in 2002 and 2004, voters (including Oprah Winfrey) reported touch-screen votes flipped from the touched candidate's name to another. Calibration and touching are apparently quite tricky.
* In Maryland, Andrew Harris, a long-time advocate in the state senate for the avoidance of paperless touch-screen and other direct-recording voting machines (DREs) ran for the Representative position in Congressional District 1. He trailed by a few votes more than the 0.5% margin that would have necessitated a mandatory recount. Of course, recounts in paperless DREs are relatively meaningless if the results are already incorrect.
* In California, where each precinct typically had only one DRE, for disadvantaged voters who preferred not to vote on paper. In Santa Clara County, 57 of those DREs were reported to be inoperable! (Secretary of State Debra Bowen was a pioneer in commissioning a 2007 summer study on the risks inherent in existing computer systems -- see Matt Bishop and David Wagner, Risks of E-Voting, Inside Risks, Comm. ACM 50, 11, November 2007, and the detailed reports. ) There were also various reports in other states of paperless DREs that were inoperable including some in which more than half of the machines could not be initialized. In Maryland and Virginia, there were reports of voters having to wait up to five hours.
Every Vote Should Count
* Close Senate races in Minnesota and Alaska required ongoing auditing and recounting, particularly as more uncounted votes were discovered. Numerous potential undervotes also required manual reconsideration for the intent of the voter. Anomalies are evidently commonplace, but must be resolvable -- and, in close elections, resolved.
Deceptive Practices
* The George Mason University email system was hacked, resulting in the sending of misleading messages regarding student voting. (See two reports dated October 20, 2008: E-Deceptive Campaign Practices, Electronic Privacy Information Center and the Century Foundation, and Deceptive Practices 2.0: Legal and Policy Responses Common Cause, The Lawyers Committee for Civil Rights under Law, and the Century Foundation.) Numerous misleading phone calls, websites, and email messages have been reported, including those that suggested Democrats were instructed to vote on Wednesday instead of Tuesday to minimize poll congestion.
Conclusions
* The needs for transparency, oversight, and meaningful audit trails in the voting process are still paramount. Problems are very diverse.
* Despite efforts to add voter-verified paper trails to paperless direct-recording voting machines, some states still used unauditable systems for which meaningful recounts are essentially impossible. The electronic systems are evidently also difficult to manage and operate.
* Systematic disenfranchisement continues. Although there seems to have been very little voter fraud, achieving accuracy and fairness in the registration process is essential. To vary an old adage, It's not just the votes that count, it's the votes that don't count.
Overall, much work remains to be done to provide greater integrity throughout the entire election process.
[CACM is now available online, including this column.
========================================================
Inside Risks 216, CACM 51, 6, June 2008
"The Foresight Saga" (Inside Risks, Comm. ACM 49, 9, September 2006) discussed failures in critical infrastructures due to lack of foresight in backup and recovery facilities. This column considers some of the causes and effects of another common kind of missing foresight: inadequate infrastructure maintenance.
Civilization and infrastructure are intimately intertwined. Rising civilizations build and benefit from their infrastructures in a ``virtuous cycle.'' As civilizations decline, their infrastructures decay -- although unmaintained vestiges, such as roads and aqueducts, may outlive them.
Dependence on critical infrastructures is increasing world-wide. This is true not only of information systems and network services, but also of energy, water, sanitation, transportation, and others that we rely on for our livelihoods and well-being. These critical infrastructures are becoming more interrelated, and most of them are becoming heavily dependent on information infrastructures. People demand ever more and better services, but understand ever less about what it takes to provide those services. Higher expectations for services are often not reflected in higher standards for infrastructure elements.
Engineers know that physical infrastructures decay without regular maintenance, and prepare for aging (e.g., corrosion and erosion) that requires inspections and repairs. Proper maintenance is generally the cheapest form of insurance against failures. However, it has a definite present cost that must be balanced against the unknown future cost of possible failures. Many costly infrastructure failures could have been prevented by timely maintenance. American engineers have been warning about under-investment in infrastructure maintenance for at least a quarter-century (e.g., America in Ruins: The Decaying Infrastructure, Pat Choat and Susan Walker, 1983), but the problem is not limited to the United States.
Neglect is the inertially easy path; proactive planning requires more immediate effort, resources, and funding. Creating maintainable systems is difficult and requires significant foresight, appropriate budgets, and skilled individuals. But investments in maintainability can reap enormous long-term benefits, through robustness to attack, simplified maintenance, ease of use, and adaptability to new needs.
Although computer software does not rust, it is subject to incompatibilities and failures caused by evolving requirements, changing environments, changes in underlying hardware and software, changing user practices, and malicious exploitation of discovered vulnerabilities. Therefore, it requires maintenance. Yet the costs of maintenance are often ignored in the planning, design, construction, and operation of critical systems. Incremental upgrades to software are error-prone. Patchwork fixes (especially repeated patches) further detract from maintainability. Software engineers receive little training in preparing for software aging, in supporting legacy software, or in knowing when and how to terminate decrepit legacy systems.
Insecure networked computers provide vandals easy access to the Internet, where spam, denial-of-service attacks, and botnet acquisition and control constitute an increasing fraction of all traffic. They directly threaten the viability of one of our most critical modern infrastructures, and indirectly threaten all the infrastructures connected to it. ``It is clear that much greater effort is needed to improve the security and robustness of our computer systems. Although many technological advances are emerging in the research community, those that relate to critical systems seem to be of less interest to the commercial development community.'' (Risks in Retrospect Comm. ACM 43, 7, July 2000)
As the example of New Orleans after Hurricane Katrina shows, failure of a critical infrastructure (the levees) can cascade into others. The very synergies among infrastructures that allow progress to accelerate are a source of positive (amplifying) feedback, allowing initial failures to escalate into much larger long-term problems involving many different infrastructures. Ironically, such ``positive'' feedback often has negative consequences.
Katrina should also remind us that remediating after a collapse often involves many secondary costs that were not foreseen. The more different infrastructures that fail concurrently, the more difficult it becomes to restore service in any of them. Restoring a lost ``ecosystem'' costs much more than the sum of the costs of restoring each element separately.
Chronic neglect of infrastructure maintenance is not a simple problem, and does not have a simple solution. Technical, economic, social, and political factors intertwine; adequate solutions must involve both the public and private sectors. People who use these infrastructures need to appreciate the importance of maintaining them. People who understand sources of the fragilities, vulnerabilities, and decay in our critical infrastructures have a responsibility to educate decision makers and the public about these risks.
Jim Horning (horning@acm.org) is Chief Scientist of SPARTA's Information Systems Security Operation; see his blog at http://horning.blogspot.com. Peter Neumann moderates the ACM Risks Forum (www.risks.org).
========================================================
Inside Risks 215, CACM 51, 5, May 2008
Most of us rely on the Internet, for news, entertainment, research, communication with our families, friends, and colleagues, and more. What if it went away?
Precisely that happened to many people in early February, in the wake of the failure of several undersea cables. According to some reports, more than 80 million users were affected by the outages, Both the failure and the recovery have lessons to teach us.
The first lesson, of course, is that failures happen. In fact, multiple failures can happen. Simply having some redundancy may not be sufficient; one needs to have enough redundancy, of the right types. In this case, geography and politics made life tougher.
The geographical issue is clear from looking at a map: there aren't many good choices for an all-water route between Europe and the Persian Gulf or India. And despite this series of events, cables are generally thought to be safer on the seabed than on land. (A standing joke in the network operator community holds that you should bring a length of fiber optic cable with you when going hiking in the wilderness. If you get lost, throw it on the ground. A backhoe will soon show up to sever it; ask the driver how to get home.)
The obvious answer is to run some backup cables on land, bypassing the chokepoint of the Red Sea. Again, a glance at the map shows how few choices there are. Bypassing the Red Sea on the west would require routing through very unstable countries. An eastern bypass would require cooperation from mutually hostile countries. Neither choice is attractive.
From this perspective, it doesn't matter much just why the cables failed. Cables can be cut by ship anchors, fishing trawlers, earthquakes, hostile action, even shark bites. Regardless of the cause, when so many cables are in such a small area, the failure modes are no longer independent.
For this problem, there are no good solution. Anyone whose business depends on connectivity through this region must take this into account.
The dangers aren't only physical. The last few months have also shown that a 1999 National Research Council report was quite correct when it warned of the fragility of the routing system and the domain name system.
In one highly-publicized incident, a routing mistake by a Pakistani ISP knocked Youtube off the air. There was a lot of speculation that this was deliberate --- the government of Pakistan had ordered Youtube banned within the country; might someone have tried to ``ban'' it globally? -- though later analysis strongly suggests that it was an innocent mistake. An outage affecting such a popular site is very noticeable; there was a great deal of press coverage. By contrast, when a Kenyan network was inadvertently hijacked by an American ISP, there was virtually no notice. Quieter, deliberate misrouting --- say, to eavesdrop on traffic to or from a small site --- might go completely unnoticed.
The DNS-related incidents are scarier because they do reflect deliberate actions, with the force of the U.S. legal system behind them. In one case, the Wikileaks.org web site was briefly deleted from the DNS by court order, because a bank claimed the site contained stolen documents. (The site owners had apparently foreseen something like that, and had registered other names for the site in other countries: the .org registry is located in the U.S.) In a second incident, a U.S. government agency ordered the names of some non-U.S. sites removed from .com (again, located in the U.S.) because they violated the embargo against Cuba.
What can we learn from these incidents? The moral is simple: the Internet is a lot more fragile than it appears. Most of the time, it works and works very well, without government interference, routing mistakes, or outages due to occasional fiber cuts. Sometimes, though, things go badly wrong. Prudence dictates that we plan for such instances.
Steven M. Bellovin is a professor of computer science at Columbia University.
========================================================
Inside Risks 214, CACM 51, 4, April 2008
It's not a revelation that as a society we're often amiss when it comes to properly prioritizing technological issues. So it should be no surprise that one of the most significant upcoming changes in our physical infrastructure is getting little play not only in the mass media, but in technology-centric circles as well.
There are increasing concerns that many persons in the U.S. are still unaware that virtually all over-the-air analog television signals are slated to cease in February of 2009 as part of the conversion to digital TV (although betting against a Congressionally-mandated extension at this time might be problematic). Yet it seems that almost nobody is talking about a vastly more far-reaching transition that is looming in our future just twelve years from now.
Hopefully, you realize that I'm talking about the Congressionally ordered Development Initiative for Return to Edison Current Technology (DIRECT), and its core requirement for all public and private power grids in this country to be converted from AC to DC systems by 2020, with all new consumer and business devices using electricity to be capable of operating directly from these new DC power grids without transitional power conversion adapters by no later than 2030.
OK, 2020 may still seem a long way off -- 2030 even more so. But for changes on such a scale, this is really very little time, and we'd better get cracking now or else we're likely to be seriously unprepared when the deadlines hit.
It's really too late at this stage to re-argue whether or not switching from AC to DC makes sense technologically. Personally, I find the arguments for the conversion to be generally unconvincing and politically motivated.
As you may recall from those purposely late night hearings on C-SPAN, significant aspects of the conversion have been predicated on anti-immigrant rhetoric. Many of those emotionally-loaded discussions focused on the supposed ``"national shame'' of our not using the ``rock-solid stable'' direct current power system championed by American hero Thomas Edison, and instead standardizing many years ago on an ``inherently unstable'' alternating current system, developed by an eccentric Croatian immigrant who enthusiastically proposed ideas characterized as grossly un-American -- such as free broadcast power.
Similarly, it's easy to view the associated legislative language as largely a giveaway to the cryogenics industry, which of course stands to profit handsomely from the vast numbers of superconducting systems that will be necessary to create large practical DC grids.
Conversion proponents pointed at existing long-distance DC transmission facilities, such as the Pacific DC Intertie, and the success of the conventional telephone system largely operating on DC current. But the Intertie is a highly specialized case, and even the phone system has relied on AC current for telephone ringing purposes.
But this is all water over the spillway. There's big bucks to be made from this power transition. Stopping it now looks impossible. And admittedly, it's difficult to argue very convincingly against the ability to do away with device power supplies that are needed now to convert wall current AC to DC, or against the simplicity of DC current when powering future generations of LED bulbs that will presumably replace both incandescents and mercury-laden fluorescents.
It's also true that much additional employment will be created, at least in the short term. Workers will be needed to install the new DC generating plants, distribution components, and power meters. Also, the many AC transformers hanging on poles and buried in vaults all over the country will need to be bypassed.
Still, from a public policy standpoint, I'd by lying if I didn't state outright that, in my opinion, this entire affair is a risky fiasco, from political, economic, and even safety standpoints. For example, because Congress required that the same style wall sockets and plugs be retained for new DC devices as have long been used by existing AC products, we're sure to see RISKS horror stories galore about damaged equipment, and injured -- even killed -- consumers, when they run afoul of nasty power confusion accidents.
Freewheeling AC/DC may be fine for a rock band, but it's no way to manage technology. While we can't unplug this coming mess, we should at least internalize it all as an object lesson in how special interests and jingoistic propaganda can distort technology in ways that are counterproductive, dangerous, and even, uh ... shocking.
Lauren Weinstein (lauren@pfir.org) is co-founder of People For Internet Responsibility http://www.pfir.org. He moderates the Privacy Forum http://www.vortex.com/privacy
========================================================
Inside Risks 213, CACM 51, 3, March 2008
When Wendell Phillips (an American abolitionist and reformer) told a Boston audience in 1852 that ``Eternal vigilance is the price of liberty'', he did not anticipate the advent of wireless sensor networks (WSNs).
WSNs are a new technology that will help us be vigilant. Wireless networks and sensors are not new. However, deploying very large numbers of very small sensing devices (motes) is new.
WSNs are distributed systems programmed for specific missions, to capture and relay specific data. For example, WSNs can check a vehicle's registered identity, location, and movements. Data recorded by sensors embedded in the vehicle can be cross-correlated with data recorded by sensors embedded in sidewalks and roads. With a vast WSN of this type available to them, authorities could monitor driving conditions and instantly recognize traffic problems. Drivers could benefit from such vigilance and the rapid response that it facilitates.
The obvious downside in this example is a further erosion of our privacy. The cross-correlated data can be a bounty for law enforcement. If roads are seeded with sensors enforcing speed limits, we might expect to receive a ticket every time we exceed them. Authorities will benefit from such vigilance, too. There would be less need for patrolling highways or for pulling anyone over for speeding, because automatically generated fines could be issued to vehicle owners.
Cars and roads are merely the tip of the iceberg for WSN applications. There are already commercially available sensor systems for habitat oversight, environmental surveys, building and structural integrity testing, spotting containers and other shipping cargo, border patrol support, fire and flooding alerts, and many other vigilance situations. Industry analysts predict that the market for WSNs will top $7 billion by 2010.
Potential uses and benefits of WSNs are hard to gauge; so are the risks associated with their proliferation. Personal computers 30 years ago and cell phones 15 years ago can serve as templates for what we can reasonably expect. Today, motes are costly and big. Early PCs and mobile phones were heavy and expensive. Eventually sensors will be small enough to go unnoticed and inexpensive enough to be scattered almost anywhere.
Power, storage, and communication range will be challenges for WSNs, just as they are for laptop computers and mobile phones. Security is also a serious concern. Power drain in sensors spawned many clever, cost-effective workarounds, skirting security difficulties. Synchronizing sleep and wake cycles maximizes battery life, but exposes sensors to attacks that can force sensors to sleep (stop working) or stay awake (waste energy).
Sensors are more vulnerable to attack than PCs or cell phones. A standard off-the-shelf serial board can be used to change data via sensors' debugging interface. Data diddling could render a WSN unreliable. WSNs may give governments new tools to watch us, but hackers will relish new ways to spam and phish.
Revenue-producing WSNs such as those monitoring traffic must be maintained, periodically tested, and upgraded. Maintaining WSNs deployed in rough terrains or hazardous conditions may not be possible. Motes may have to operate unattended, and those without power may remain unreplaced. Abandoned motes will be opportunities for new forms of data theft. Recovering dead motes to prevent staggering pollution problems will require ''sensors sensing sensors'' -- with as yet unknown techniques.
Although power and security problems are not yet solved, it is prudent to begin examining the risks that would be posed by widespread deployment of WSNs.
As with all advanced technologies, WSNs compel us to balance what's helpful (enhanced ability to observe) with what's harmful (abuse of this ability or undue expectation of its reliability). Performance of large and complex WSNs may be affected by a few malfunctioning sensors, which might be difficult to discover.
The risks of deployment must be compared with the risks of non-deployment. For some locations, the cost-benefit analysis may be simple and decisive. WSNs will appear wherever it makes economic sense to deploy them, or when strong political goals justify their deployment. Anti-terrorism efforts will add round-the-clock attention to our already-well-documented lives, the ultimate reality show.
Phillips warned us that if we wanted to be free, we had to be vigilant. He could not imagine we would risk trading freedom for vigilance; with WSNs, it can happen surreptitiously.
Xiaoming Lu (lu@cs.ucdavis.edu) is a Ph.D. candidate at the University of California, Davis. George Ledin Jr (ledin@sonoma.edu) is Professor of Computer Science, Sonoma State University.
========================================================
Inside Risks 212, CACM 51, 2, February 2008
Many software programs contain unadvertised functions that upset users when they discover them. These functions are not bugs, but rather operations intended by their designers to be hidden from end-users. The problem is not new -- Trojan horses and Easter Eggs were among the earliest instances -- but it is increasingly common and a source of many risks. I define software transparency as a condition that all functions of software are disclosed to users. Transparency is necessary for proper risk management. The term ``transparency'' should be used instead of ``fully-disclosed" to avoid confusion with the ``full disclosure" of vulnerabilities.
There is a higher standard to be named, because disclosure doesn't by itself remove objectionable functions. They pose risks while being irrelevant to the software's stated purpose and utility, and are foreign to its advertised nature. Freedom from such functions is a property that needs a name: loyalty, nonperfidiousness, fidelity, and purity come to mind, but none of them seems exactly right. For the purposes of this column, I shall call it purity. ``Pure Software" can theoretically exist without disclosure, but disclosure would be a strong incentive, as previously discussed by Garfinkel [1]. Purity does not mean free of errors or unchanged since release. It's possible for pure software to contain errors or to be corrupted. The following examples illustrate some of the risks from opaque and impure software.
In 2004, the digital video recording (DVR) equipment maker TiVo was able to tell how many people had paused and rewound to watch Janet Jackson's wardrobe malfunction in the televised Super Bowl [2]. People could opt out of the data collection by making a phone call. The privacy policy, if it was read, did mention some data collection, but did not disclose its full extent and surprising detail. Very few would likely have opted-in to allow this foreign function.
Software purity as a desirable property is highlighted by some of the differences between the GNU Public License (GPL) v2 and v3 [3]. The changes can be viewed as intended to protect the capability to remove unwanted functionality from software, including firmware based on GPL code (e.g., TiVo).
In 2005, the anti-cheating Warden software that was installed with the World of Warcraft online game was found to snoop inside computers [4]. Some people love knowing it is there, whereas others find it distasteful but are unable to make a convincing argument that it is malicious spyware. Despite being authorized by the End-User License Agreement (EULA), it poses risks that were not made clear, through undisclosed, objectionable behaviors.
Also in 2005, copy prevention software unexpectedly present on Sony BMG CDs was installed surreptitiously when users attempted to play a CD on their computer. It was later recognized as a rootkit [5]. Ironically, it was reused to attack the Warden [6].
In 2007, people who had paid for Major League Baseball videos from previous years found that they were unable to watch them anymore because of a broken Digital Rights Management (DRM) system, because the server providing authorization was decommissioned without warning [7]. Fragile DRM systems, such as those requiring an available server, are undesirable because of the risks they present while being foreign to the advertised features or content.
Also in 2007, Microsoft Live OneCare surreptitiously changed user settings when installed to enable automatic updates and re-enable Windows services that were disabled on purpose; this is documented obscurely [8]. Whereas it was not malicious, it caused many problems to users and system administrators and was vehemently protested. Surreptitious functions pose risks, even if well-intentioned.
In conclusion, software transparency and purity are often valued but not explicitly identified. Beyond the obvious information security risks to users, opaque or impure software also poses business risks in the form of loss of reputation, trust, goodwill, sales, and contracts. It may be that transparency alone is enough for some purposes, and others may also require software purity. An explicit requirement of whichever is appropriate would decrease risks.
Pascal Meunier (pmeunier@cerias.purdue.edu) is a research scientist at Purdue University CERIAS. His teaching and research include computer security and information assurance.
1. Simson Garfinkel, The Pure Software Act of 2006, April 2004.
http://www.technologyreview.com/Infotech/13556/?a=f
2. Ben Charny, TiVo watchers uneasy after post-Super Bowl reports, February
2004.
http://www.news.com/2100-1041_3-5154219.html
3. Pamela Jones, The GPLv2-GPL3 Chart, January 2006.
http://www.groklaw.net/articlebasic.php?story=20060118155841115
4. Greg Hoglund, 4.5 million copies of EULA-compliant spyware, October
2005.
http://www.rootkit.com/blog.php?newsid=358
5. Jason Schultz and Corynne McSherry, Are You Infected with Sony-BMG's
Rootkit? EFF Confirms Secret Software on 19 CDs, November 2005.
http://www.eff.org/press/archives/2005/11/09
6. Robert Lemos, World of Warcraft hackers using Sony BMG rootkit, November
2005.
http://www.securityfocus.com/brief/34
7. Allan Wood, If You Purchased MLB Game Downloads Before 2006, Your
Discs/Files Are Now Useless; MLB Has Stolen Your $$$ And Claims ``No
Refunds", November 2007.
http://joyofsox.blogspot.com/2007/11/mlb-game-downloads-still-inaccessible.html
8. Scott Dunn, PC rebooting? The cause may be MS OneCare, October 2007.
http://www.windowssecrets.com/2007/10/25/03-PC-rebooting-The-cause-may-be-MS-OneCare
========================================================
Inside Risks 211, CACM 51, 1, January 2008
Personal risk taking is a major public-health problem in our society. It includes criminal behavior, drug addiction, compulsive gambling, accident-prone behavior, suicide attempts, and disease-promoting activities. The costs in human life, suffering, financial burden, and lost work are enormous.
Some of the insights from the psychology of personal risks seem applicable to computer-related risks, and are considered here. This column is thus an orthogonal view of the past columns in this space -- which have focused largely on technological problems.
The Greeks had a word for self-defeating risk taking -- Akrasia, which referred to incontinent behaviors that an individual performs against his or her own best interests. Clearly, there are some risks that are well considered with personal and social values. The issue that philosophers and psychologists have puzzled over has been why a person would persist in taking harmful, often impulsive risks. This question is seriously compounded when generalized to include people who are using computer systems.
Personal risk-taking behavior can arise from biological, psychological, and social causes. Computer-related risks also involve psychological and social causes -- but also economical, political, institutional, and educational causes. To understand such behavior, it must be analyzed in terms of how individuals, institutions, and the social environment perceive it and what other less maladaptive options are available. What seems critical in assessing any such behavior is whether any control can be exerted over it, and who or what people and institutions might be aware of its consequences and able to act appropriately. Here are just a few manifestations that result from increased dependence on information technology.
Loss of a sense of community. Online easy availability of excerpts from music, books, news, and other media may lead to fewer incentives for in-person gatherings, an impersonal lack of face-to-face contact, a lessening of thoughtful feedback, and a loss of the joy of browsing among tangible entities -- with many social consequences. It may also tend to dumb down our intellects.
Acceleration. Instantaneous access and short-latency turn-around times as in e-mail and instant messaging might seem to allow more time for rumination. However, the expectation of equally instantaneous responses seems to diminish the creative process and escalate the perceived needs for responses. It also seems to lead to less interest in clarity, grammar, and spelling.
Temptation Believing that one is unobserved, anonymous, or not accountable may lead to all sorts of risks -- such as clicking on untrustworthy URLs, opening up riskful attachments, and being susceptible to phishing attacks, scams, malware, and blackmail -- especially when communicating with unknown people or systems. This can lead to maladaptive consequences through bad judgment and inability to recognize consequences.
Dissociation. Irrational risk behavior may arise due to problems of a modular-cognitive separation. Such behaviors are not unconsciously motivated, yet individuals and institutions are unable to connect the expression of a particular behavioral pattern with its detrimental effects. The extent to which foreseeable computer-related risks are ignored by system developers, operators, and users is quite remarkable from a psychological point of view.
Our society often mythologizes artists, explorers, and scientists who take self-destructive risks as heroes who have enriched society. Often people (particularly the young) get a complicated and mixed message concerning the social value of personal risk taking. With respect to computer-related risks, our society tends to mythologize the infallibility of computer technology and the people who develop it, or alternatively, to shoot the messenger when things go wrong rather than remediating the underlying problems.
The big difference seems to be this: In their personal lives, people tend to consciously and deliberately take risks -- though often unaware of possibly serious consequences. When dealing with computer technology, they tend to take risks unconsciously and in many cases unwillingly. (On the other hand, readers of this column space are likely to be much more wary.)
In dealing with personal and computer-related risks, vigorous, compelling, and cognitively clear educational programs are vital in modulating unhealthy behavior and endorsing new attempts to deal with changing environments.
Dr. Leonard Zegans is a psychiatrist and professor in the University of California at San Francisco Medical School. See his book chapter, Risk-Taking and Decision Making, in Self-Regulatory Behavior and Risk Taking Behavior, L. Lipsett and L. Mitnick, eds., Ablex, Norwood, N.J. 257-272, 1991.
========================================================