NOTE: Reuse for commercial purposes is subject to CACM and author copyright policy.
[[[NOTE: After 18 years of 216 consecutive monthly columns that have appeared in the inside last page of the Communications of the ACM, the plan for the foreseeable future is that subsequent issues of the CACM will include Inside Risks columns with a reduced frequency -- perhaps three or four a year. I am enormously indebted to the members of my ACM Committee on Computers and Public Policy (Steve Bellovin, Peter Denning, Virgil Gligor, Nancy Leveson, Dave Parnas, Jerry Saltzer, and Lauren Weinstein), whose diligent oversight and incisive interactions have helped make these columns relevant, timely, and interesting, and hope that we may continue this effort in the future. PGN]]]
Inside Risks 216, CACM 51, 6, June 2008
"The Foresight Saga" (Inside Risks, Comm. ACM 49, 9, September 2006) discussed failures in critical infrastructures due to lack of foresight in backup and recovery facilities. This column considers some of the causes and effects of another common kind of missing foresight: inadequate infrastructure maintenance.
Civilization and infrastructure are intimately intertwined. Rising civilizations build and benefit from their infrastructures in a ``virtuous cycle.'' As civilizations decline, their infrastructures decay -- although unmaintained vestiges, such as roads and aqueducts, may outlive them.
Dependence on critical infrastructures is increasing world-wide. This is true not only of information systems and network services, but also of energy, water, sanitation, transportation, and others that we rely on for our livelihoods and well-being. These critical infrastructures are becoming more interrelated, and most of them are becoming heavily dependent on information infrastructures. People demand ever more and better services, but understand ever less about what it takes to provide those services. Higher expectations for services are often not reflected in higher standards for infrastructure elements.
Engineers know that physical infrastructures decay without regular maintenance, and prepare for aging (e.g., corrosion and erosion) that requires inspections and repairs. Proper maintenance is generally the cheapest form of insurance against failures. However, it has a definite present cost that must be balanced against the unknown future cost of possible failures. Many costly infrastructure failures could have been prevented by timely maintenance. American engineers have been warning about under-investment in infrastructure maintenance for at least a quarter-century (e.g., America in Ruins: The Decaying Infrastructure, Pat Choat and Susan Walker, 1983), but the problem is not limited to the United States.
Neglect is the inertially easy path; proactive planning requires more immediate effort, resources, and funding. Creating maintainable systems is difficult and requires significant foresight, appropriate budgets, and skilled individuals. But investments in maintainability can reap enormous long-term benefits, through robustness to attack, simplified maintenance, ease of use, and adaptability to new needs.
Although computer software does not rust, it is subject to incompatibilities and failures caused by evolving requirements, changing environments, changes in underlying hardware and software, changing user practices, and malicious exploitation of discovered vulnerabilities. Therefore, it requires maintenance. Yet the costs of maintenance are often ignored in the planning, design, construction, and operation of critical systems. Incremental upgrades to software are error-prone. Patchwork fixes (especially repeated patches) further detract from maintainability. Software engineers receive little training in preparing for software aging, in supporting legacy software, or in knowing when and how to terminate decrepit legacy systems.
Insecure networked computers provide vandals easy access to the Internet, where spam, denial-of-service attacks, and botnet acquisition and control constitute an increasing fraction of all traffic. They directly threaten the viability of one of our most critical modern infrastructures, and indirectly threaten all the infrastructures connected to it. ``It is clear that much greater effort is needed to improve the security and robustness of our computer systems. Although many technological advances are emerging in the research community, those that relate to critical systems seem to be of less interest to the commercial development community.'' (Risks in Retrospect Comm. ACM 43, 7, July 2000)
As the example of New Orleans after Hurricane Katrina shows, failure of a critical infrastructure (the levees) can cascade into others. The very synergies among infrastructures that allow progress to accelerate are a source of positive (amplifying) feedback, allowing initial failures to escalate into much larger long-term problems involving many different infrastructures. Ironically, such ``positive'' feedback often has negative consequences.
Katrina should also remind us that remediating after a collapse often involves many secondary costs that were not foreseen. The more different infrastructures that fail concurrently, the more difficult it becomes to restore service in any of them. Restoring a lost ``ecosystem'' costs much more than the sum of the costs of restoring each element separately.
Chronic neglect of infrastructure maintenance is not a simple problem, and does not have a simple solution. Technical, economic, social, and political factors intertwine; adequate solutions must involve both the public and private sectors. People who use these infrastructures need to appreciate the importance of maintaining them. People who understand sources of the fragilities, vulnerabilities, and decay in our critical infrastructures have a responsibility to educate decision makers and the public about these risks.
Jim Horning (horning@acm.org) is Chief Scientist of SPARTA's Information Systems Security Operation; see his blog at http://horning.blogspot.com. Peter Neumann moderates the ACM Risks Forum (www.risks.org).
========================================================
Inside Risks 215, CACM 51, 5, May 2008
Most of us rely on the Internet, for news, entertainment, research, communication with our families, friends, and colleagues, and more. What if it went away?
Precisely that happened to many people in early February, in the wake of the failure of several undersea cables. According to some reports, more than 80 million users were affected by the outages, Both the failure and the recovery have lessons to teach us.
The first lesson, of course, is that failures happen. In fact, multiple failures can happen. Simply having some redundancy may not be sufficient; one needs to have enough redundancy, of the right types. In this case, geography and politics made life tougher.
The geographical issue is clear from looking at a map: there aren't many good choices for an all-water route between Europe and the Persian Gulf or India. And despite this series of events, cables are generally thought to be safer on the seabed than on land. (A standing joke in the network operator community holds that you should bring a length of fiber optic cable with you when going hiking in the wilderness. If you get lost, throw it on the ground. A backhoe will soon show up to sever it; ask the driver how to get home.)
The obvious answer is to run some backup cables on land, bypassing the chokepoint of the Red Sea. Again, a glance at the map shows how few choices there are. Bypassing the Red Sea on the west would require routing through very unstable countries. An eastern bypass would require cooperation from mutually hostile countries. Neither choice is attractive.
From this perspective, it doesn't matter much just why the cables failed. Cables can be cut by ship anchors, fishing trawlers, earthquakes, hostile action, even shark bites. Regardless of the cause, when so many cables are in such a small area, the failure modes are no longer independent.
For this problem, there are no good solution. Anyone whose business depends on connectivity through this region must take this into account.
The dangers aren't only physical. The last few months have also shown that a 1999 National Research Council report was quite correct when it warned of the fragility of the routing system and the domain name system.
In one highly-publicized incident, a routing mistake by a Pakistani ISP knocked Youtube off the air. There was a lot of speculation that this was deliberate --- the government of Pakistan had ordered Youtube banned within the country; might someone have tried to ``ban'' it globally? -- though later analysis strongly suggests that it was an innocent mistake. An outage affecting such a popular site is very noticeable; there was a great deal of press coverage. By contrast, when a Kenyan network was inadvertently hijacked by an American ISP, there was virtually no notice. Quieter, deliberate misrouting --- say, to eavesdrop on traffic to or from a small site --- might go completely unnoticed.
The DNS-related incidents are scarier because they do reflect deliberate actions, with the force of the U.S. legal system behind them. In one case, the Wikileaks.org web site was briefly deleted from the DNS by court order, because a bank claimed the site contained stolen documents. (The site owners had apparently foreseen something like that, and had registered other names for the site in other countries: the .org registry is located in the U.S.) In a second incident, a U.S. government agency ordered the names of some non-U.S. sites removed from .com (again, located in the U.S.) because they violated the embargo against Cuba.
What can we learn from these incidents? The moral is simple: the Internet is a lot more fragile than it appears. Most of the time, it works and works very well, without government interference, routing mistakes, or outages due to occasional fiber cuts. Sometimes, though, things go badly wrong. Prudence dictates that we plan for such instances.
Steven M. Bellovin is a professor of computer science at Columbia University.
========================================================
Inside Risks 214, CACM 51, 4, April 2008
It's not a revelation that as a society we're often amiss when it comes to properly prioritizing technological issues. So it should be no surprise that one of the most significant upcoming changes in our physical infrastructure is getting little play not only in the mass media, but in technology-centric circles as well.
There are increasing concerns that many persons in the U.S. are still unaware that virtually all over-the-air analog television signals are slated to cease in February of 2009 as part of the conversion to digital TV (although betting against a Congressionally-mandated extension at this time might be problematic). Yet it seems that almost nobody is talking about a vastly more far-reaching transition that is looming in our future just twelve years from now.
Hopefully, you realize that I'm talking about the Congressionally ordered Development Initiative for Return to Edison Current Technology (DIRECT), and its core requirement for all public and private power grids in this country to be converted from AC to DC systems by 2020, with all new consumer and business devices using electricity to be capable of operating directly from these new DC power grids without transitional power conversion adapters by no later than 2030.
OK, 2020 may still seem a long way off -- 2030 even more so. But for changes on such a scale, this is really very little time, and we'd better get cracking now or else we're likely to be seriously unprepared when the deadlines hit.
It's really too late at this stage to re-argue whether or not switching from AC to DC makes sense technologically. Personally, I find the arguments for the conversion to be generally unconvincing and politically motivated.
As you may recall from those purposely late night hearings on C-SPAN, significant aspects of the conversion have been predicated on anti-immigrant rhetoric. Many of those emotionally-loaded discussions focused on the supposed ``"national shame'' of our not using the ``rock-solid stable'' direct current power system championed by American hero Thomas Edison, and instead standardizing many years ago on an ``inherently unstable'' alternating current system, developed by an eccentric Croatian immigrant who enthusiastically proposed ideas characterized as grossly un-American -- such as free broadcast power.
Similarly, it's easy to view the associated legislative language as largely a giveaway to the cryogenics industry, which of course stands to profit handsomely from the vast numbers of superconducting systems that will be necessary to create large practical DC grids.
Conversion proponents pointed at existing long-distance DC transmission facilities, such as the Pacific DC Intertie, and the success of the conventional telephone system largely operating on DC current. But the Intertie is a highly specialized case, and even the phone system has relied on AC current for telephone ringing purposes.
But this is all water over the spillway. There's big bucks to be made from this power transition. Stopping it now looks impossible. And admittedly, it's difficult to argue very convincingly against the ability to do away with device power supplies that are needed now to convert wall current AC to DC, or against the simplicity of DC current when powering future generations of LED bulbs that will presumably replace both incandescents and mercury-laden fluorescents.
It's also true that much additional employment will be created, at least in the short term. Workers will be needed to install the new DC generating plants, distribution components, and power meters. Also, the many AC transformers hanging on poles and buried in vaults all over the country will need to be bypassed.
Still, from a public policy standpoint, I'd by lying if I didn't state outright that, in my opinion, this entire affair is a risky fiasco, from political, economic, and even safety standpoints. For example, because Congress required that the same style wall sockets and plugs be retained for new DC devices as have long been used by existing AC products, we're sure to see RISKS horror stories galore about damaged equipment, and injured -- even killed -- consumers, when they run afoul of nasty power confusion accidents.
Freewheeling AC/DC may be fine for a rock band, but it's no way to manage technology. While we can't unplug this coming mess, we should at least internalize it all as an object lesson in how special interests and jingoistic propaganda can distort technology in ways that are counterproductive, dangerous, and even, uh ... shocking.
Lauren Weinstein (lauren@pfir.org) is co-founder of People For Internet Responsibility http://www.pfir.org. He moderates the Privacy Forum http://www.vortex.com/privacy
========================================================
Inside Risks 213, CACM 51, 3, March 2008
When Wendell Phillips (an American abolitionist and reformer) told a Boston audience in 1852 that ``Eternal vigilance is the price of liberty'', he did not anticipate the advent of wireless sensor networks (WSNs).
WSNs are a new technology that will help us be vigilant. Wireless networks and sensors are not new. However, deploying very large numbers of very small sensing devices (motes) is new.
WSNs are distributed systems programmed for specific missions, to capture and relay specific data. For example, WSNs can check a vehicle's registered identity, location, and movements. Data recorded by sensors embedded in the vehicle can be cross-correlated with data recorded by sensors embedded in sidewalks and roads. With a vast WSN of this type available to them, authorities could monitor driving conditions and instantly recognize traffic problems. Drivers could benefit from such vigilance and the rapid response that it facilitates.
The obvious downside in this example is a further erosion of our privacy. The cross-correlated data can be a bounty for law enforcement. If roads are seeded with sensors enforcing speed limits, we might expect to receive a ticket every time we exceed them. Authorities will benefit from such vigilance, too. There would be less need for patrolling highways or for pulling anyone over for speeding, because automatically generated fines could be issued to vehicle owners.
Cars and roads are merely the tip of the iceberg for WSN applications. There are already commercially available sensor systems for habitat oversight, environmental surveys, building and structural integrity testing, spotting containers and other shipping cargo, border patrol support, fire and flooding alerts, and many other vigilance situations. Industry analysts predict that the market for WSNs will top $7 billion by 2010.
Potential uses and benefits of WSNs are hard to gauge; so are the risks associated with their proliferation. Personal computers 30 years ago and cell phones 15 years ago can serve as templates for what we can reasonably expect. Today, motes are costly and big. Early PCs and mobile phones were heavy and expensive. Eventually sensors will be small enough to go unnoticed and inexpensive enough to be scattered almost anywhere.
Power, storage, and communication range will be challenges for WSNs, just as they are for laptop computers and mobile phones. Security is also a serious concern. Power drain in sensors spawned many clever, cost-effective workarounds, skirting security difficulties. Synchronizing sleep and wake cycles maximizes battery life, but exposes sensors to attacks that can force sensors to sleep (stop working) or stay awake (waste energy).
Sensors are more vulnerable to attack than PCs or cell phones. A standard off-the-shelf serial board can be used to change data via sensors' debugging interface. Data diddling could render a WSN unreliable. WSNs may give governments new tools to watch us, but hackers will relish new ways to spam and phish.
Revenue-producing WSNs such as those monitoring traffic must be maintained, periodically tested, and upgraded. Maintaining WSNs deployed in rough terrains or hazardous conditions may not be possible. Motes may have to operate unattended, and those without power may remain unreplaced. Abandoned motes will be opportunities for new forms of data theft. Recovering dead motes to prevent staggering pollution problems will require ''sensors sensing sensors'' -- with as yet unknown techniques.
Although power and security problems are not yet solved, it is prudent to begin examining the risks that would be posed by widespread deployment of WSNs.
As with all advanced technologies, WSNs compel us to balance what's helpful (enhanced ability to observe) with what's harmful (abuse of this ability or undue expectation of its reliability). Performance of large and complex WSNs may be affected by a few malfunctioning sensors, which might be difficult to discover.
The risks of deployment must be compared with the risks of non-deployment. For some locations, the cost-benefit analysis may be simple and decisive. WSNs will appear wherever it makes economic sense to deploy them, or when strong political goals justify their deployment. Anti-terrorism efforts will add round-the-clock attention to our already-well-documented lives, the ultimate reality show.
Phillips warned us that if we wanted to be free, we had to be vigilant. He could not imagine we would risk trading freedom for vigilance; with WSNs, it can happen surreptitiously.
Xiaoming Lu (lu@cs.ucdavis.edu) is a Ph.D. candidate at the University of California, Davis. George Ledin Jr (ledin@sonoma.edu) is Professor of Computer Science, Sonoma State University.
========================================================
Inside Risks 212, CACM 51, 2, February 2008
Many software programs contain unadvertised functions that upset users when they discover them. These functions are not bugs, but rather operations intended by their designers to be hidden from end-users. The problem is not new -- Trojan horses and Easter Eggs were among the earliest instances -- but it is increasingly common and a source of many risks. I define software transparency as a condition that all functions of software are disclosed to users. Transparency is necessary for proper risk management. The term ``transparency'' should be used instead of ``fully-disclosed" to avoid confusion with the ``full disclosure" of vulnerabilities.
There is a higher standard to be named, because disclosure doesn't by itself remove objectionable functions. They pose risks while being irrelevant to the software's stated purpose and utility, and are foreign to its advertised nature. Freedom from such functions is a property that needs a name: loyalty, nonperfidiousness, fidelity, and purity come to mind, but none of them seems exactly right. For the purposes of this column, I shall call it purity. ``Pure Software" can theoretically exist without disclosure, but disclosure would be a strong incentive, as previously discussed by Garfinkel [1]. Purity does not mean free of errors or unchanged since release. It's possible for pure software to contain errors or to be corrupted. The following examples illustrate some of the risks from opaque and impure software.
In 2004, the digital video recording (DVR) equipment maker TiVo was able to tell how many people had paused and rewound to watch Janet Jackson's wardrobe malfunction in the televised Super Bowl [2]. People could opt out of the data collection by making a phone call. The privacy policy, if it was read, did mention some data collection, but did not disclose its full extent and surprising detail. Very few would likely have opted-in to allow this foreign function.
Software purity as a desirable property is highlighted by some of the differences between the GNU Public License (GPL) v2 and v3 [3]. The changes can be viewed as intended to protect the capability to remove unwanted functionality from software, including firmware based on GPL code (e.g., TiVo).
In 2005, the anti-cheating Warden software that was installed with the World of Warcraft online game was found to snoop inside computers [4]. Some people love knowing it is there, whereas others find it distasteful but are unable to make a convincing argument that it is malicious spyware. Despite being authorized by the End-User License Agreement (EULA), it poses risks that were not made clear, through undisclosed, objectionable behaviors.
Also in 2005, copy prevention software unexpectedly present on Sony BMG CDs was installed surreptitiously when users attempted to play a CD on their computer. It was later recognized as a rootkit [5]. Ironically, it was reused to attack the Warden [6].
In 2007, people who had paid for Major League Baseball videos from previous years found that they were unable to watch them anymore because of a broken Digital Rights Management (DRM) system, because the server providing authorization was decommissioned without warning [7]. Fragile DRM systems, such as those requiring an available server, are undesirable because of the risks they present while being foreign to the advertised features or content.
Also in 2007, Microsoft Live OneCare surreptitiously changed user settings when installed to enable automatic updates and re-enable Windows services that were disabled on purpose; this is documented obscurely [8]. Whereas it was not malicious, it caused many problems to users and system administrators and was vehemently protested. Surreptitious functions pose risks, even if well-intentioned.
In conclusion, software transparency and purity are often valued but not explicitly identified. Beyond the obvious information security risks to users, opaque or impure software also poses business risks in the form of loss of reputation, trust, goodwill, sales, and contracts. It may be that transparency alone is enough for some purposes, and others may also require software purity. An explicit requirement of whichever is appropriate would decrease risks.
Pascal Meunier (pmeunier@cerias.purdue.edu) is a research scientist at Purdue University CERIAS. His teaching and research include computer security and information assurance.
1. Simson Garfinkel, The Pure Software Act of 2006, April 2004.
http://www.technologyreview.com/Infotech/13556/?a=f
2. Ben Charny, TiVo watchers uneasy after post-Super Bowl reports, February
2004.
http://www.news.com/2100-1041_3-5154219.html
3. Pamela Jones, The GPLv2-GPL3 Chart, January 2006.
http://www.groklaw.net/articlebasic.php?story=20060118155841115
4. Greg Hoglund, 4.5 million copies of EULA-compliant spyware, October
2005.
http://www.rootkit.com/blog.php?newsid=358
5. Jason Schultz and Corynne McSherry, Are You Infected with Sony-BMG's
Rootkit? EFF Confirms Secret Software on 19 CDs, November 2005.
http://www.eff.org/press/archives/2005/11/09
6. Robert Lemos, World of Warcraft hackers using Sony BMG rootkit, November
2005.
http://www.securityfocus.com/brief/34
7. Allan Wood, If You Purchased MLB Game Downloads Before 2006, Your
Discs/Files Are Now Useless; MLB Has Stolen Your $$$ And Claims ``No
Refunds", November 2007.
http://joyofsox.blogspot.com/2007/11/mlb-game-downloads-still-inaccessible.html
8. Scott Dunn, PC rebooting? The cause may be MS OneCare, October 2007.
http://www.windowssecrets.com/2007/10/25/03-PC-rebooting-The-cause-may-be-MS-OneCare
========================================================
Inside Risks 211, CACM 51, 1, January 2008
Personal risk taking is a major public-health problem in our society. It includes criminal behavior, drug addiction, compulsive gambling, accident-prone behavior, suicide attempts, and disease-promoting activities. The costs in human life, suffering, financial burden, and lost work are enormous.
Some of the insights from the psychology of personal risks seem applicable to computer-related risks, and are considered here. This column is thus an orthogonal view of the past columns in this space -- which have focused largely on technological problems.
The Greeks had a word for self-defeating risk taking -- Akrasia, which referred to incontinent behaviors that an individual performs against his or her own best interests. Clearly, there are some risks that are well considered with personal and social values. The issue that philosophers and psychologists have puzzled over has been why a person would persist in taking harmful, often impulsive risks. This question is seriously compounded when generalized to include people who are using computer systems.
Personal risk-taking behavior can arise from biological, psychological, and social causes. Computer-related risks also involve psychological and social causes -- but also economical, political, institutional, and educational causes. To understand such behavior, it must be analyzed in terms of how individuals, institutions, and the social environment perceive it and what other less maladaptive options are available. What seems critical in assessing any such behavior is whether any control can be exerted over it, and who or what people and institutions might be aware of its consequences and able to act appropriately. Here are just a few manifestations that result from increased dependence on information technology.
Loss of a sense of community. Online easy availability of excerpts from music, books, news, and other media may lead to fewer incentives for in-person gatherings, an impersonal lack of face-to-face contact, a lessening of thoughtful feedback, and a loss of the joy of browsing among tangible entities -- with many social consequences. It may also tend to dumb down our intellects.
Acceleration. Instantaneous access and short-latency turn-around times as in e-mail and instant messaging might seem to allow more time for rumination. However, the expectation of equally instantaneous responses seems to diminish the creative process and escalate the perceived needs for responses. It also seems to lead to less interest in clarity, grammar, and spelling.
Temptation Believing that one is unobserved, anonymous, or not accountable may lead to all sorts of risks -- such as clicking on untrustworthy URLs, opening up riskful attachments, and being susceptible to phishing attacks, scams, malware, and blackmail -- especially when communicating with unknown people or systems. This can lead to maladaptive consequences through bad judgment and inability to recognize consequences.
Dissociation. Irrational risk behavior may arise due to problems of a modular-cognitive separation. Such behaviors are not unconsciously motivated, yet individuals and institutions are unable to connect the expression of a particular behavioral pattern with its detrimental effects. The extent to which foreseeable computer-related risks are ignored by system developers, operators, and users is quite remarkable from a psychological point of view.
Our society often mythologizes artists, explorers, and scientists who take self-destructive risks as heroes who have enriched society. Often people (particularly the young) get a complicated and mixed message concerning the social value of personal risk taking. With respect to computer-related risks, our society tends to mythologize the infallibility of computer technology and the people who develop it, or alternatively, to shoot the messenger when things go wrong rather than remediating the underlying problems.
The big difference seems to be this: In their personal lives, people tend to consciously and deliberately take risks -- though often unaware of possibly serious consequences. When dealing with computer technology, they tend to take risks unconsciously and in many cases unwillingly. (On the other hand, readers of this column space are likely to be much more wary.)
In dealing with personal and computer-related risks, vigorous, compelling, and cognitively clear educational programs are vital in modulating unhealthy behavior and endorsing new attempts to deal with changing environments.
Dr. Leonard Zegans is a psychiatrist and professor in the University of California at San Francisco Medical School. See his book chapter, Risk-Taking and Decision Making, in Self-Regulatory Behavior and Risk Taking Behavior, L. Lipsett and L. Mitnick, eds., Ablex, Norwood, N.J. 257-272, 1991.
========================================================