Security is a System Property

CircleID CircleID: There's lots of security advice in the press: keep your systems patched, use a password manager, don't click on links in email, etc. But there's one thing these adages omit: an attacker who is targeting you, rather than whoever falls for the phishing email, won't be stopped by one defensive measure. Rather, they'll go after the weakest part of your defenses. You have to protect everything — including things you hadn't realized were relevant. Security is a systems problem: everything matters, including the links between the components and even the people who use the system.

Passwords are a good illustration of this point. We all know the adage: "pick strong passwords". There are lots of things wrong with this and other simplistic advice with passwords, but we'll ignore most of them to focus on the systems problem. So: what attacks do strong passwords protect against?

The original impetus for this advice came from a 1979 paper by Bob Morris and Ken Thompson. (Morris later became Chief Scientist of the NSA's National Computer Security Center; Thompson is one of the creators of Unix.) When you read it carefully, you realize that strong passwords guard against exactly two threats: someone who tries to login as you, and someone who has hacked the remote site and is trying to guess your password. But strong passwords do nothing if your computer (in those days, computer terminal...) is hacked, or if the line is tapped, or if you're lured to a phishing site and send your password, in the clear, to an enemy site. To really protect your password, then, you need to worry about all of those factors and more.

It's worth noting that Morris and Thompson understood this thoroughly. Everyone focuses on the strong password part, and — if they're at least marginally competent — on password salting and hashing, but few people remember this quote, from the first page of the paper:

Remote-access systems are peculiarly vulnerable to penetration by outsiders as there are threats at the remote terminal, along the communications link, as well as at the computer itself. Although the security of a password encryption algorithm is an interesting intellectual and mathematical problem, it is only one tiny facet of a very large problem. In practice, physical security of the computer, communications security of the communications link, and physical control of the computer itself loom as far more important issues. Perhaps most important of all is control over the actions of ex-employees, since they are not under any direct control and they may have intimate knowledge about the system, its resources, and methods of access. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.

(True confession: I'd forgotten that they noted the scope of the problem, perhaps because I first read that paper when it originally appeared.)

I bring this up now because of some excellent reporting about hacking and the 2016 election. Voting, too, is a system — it's not just voting machines that are targets, but rather, the entire system. This encompasses registration, handling of the "poll books" — which may themselves be computerized — the way that poll workers sign in voters, and more. I'll give an example, from the very first time I could vote in a presidential election: the poll workers couldn't find my registration card. I was sent off to a bank of phones to try to call the county election board. The board had far too few phone lines, so I kept getting busy signals, all the while thinking nasty thoughts about attempts to keep Yankees (I'd just moved to North Carolina) and students (I was there for grad school) from voting.

Think of all of the system pieces in just that part of the election. There was the poll worker — was she honest? There was the election book, and whatever processes, mechanisms, software, or people had gone into compiling it. There was the phone bank I was using, the phone network, the phones at the election board, the people there, and their backend systems that had a master copy of the election roll. My story had a happy ending — the poll worker kept checking, and found that my card has been misalphabetized — but if an analogous problem happened today with an electronic poll book, it's hard to see how the poll worker's diligence could have resolved it. (For other interesting systems aspects of voting, including issues with poll books, see an old blog post of mine.)

The systems aspect of voting is apparent to some, of course, including the New York Times reporters who are covering the hacking story:

Michael Wines, who covers election issues for the Times, said that what stood out to him was the vulnerability of the nation's vast Rube Goldberg election system. Elections, he explained, "are run by understaffed, underfinanced and sometimes undertrained local officials, serviced by outside contractors who may or may not be well vetted, conducted with equipment and software that may or may not be secure." [emphasis added]

Almost all security problems are system problems; beware of people who try to sell you simplistic, point solutions. It's not that these solutions are wrong; rather, they have to be examined for their role in securing the system. Consider HTTPS — encrypted — web connections. Unless you're being targeted by law enforcement or a major intelligence agency, the odds of your connection being tapped on the backbone are vanishingly small. However, it's trivial to tap someone's WiFi connection if you're on the same net as them, e.g., in a public hotspot. So — it's a good idea to encrypt web pages, but if the environment is strictly controlled LAN to controlled LAN, that should be far down on your list of security priorities. And remember: encrypting one link does not solve any of the many other vulnerable points in your system.
Written by Steven Bellovin, Professor of Computer Science at Columbia UniversityFollow CircleID on TwitterMore under: Cyberattack, Cybercrime, Cybersecurity

The post Security is a System Property appeared first on iGoldRush Domain News and Resources.

Continue reading

Domain Data: 78% of TechStars Companies Use .COM

NamePros: The worldwide entrepreneurial network Techstars has been helping startups grow since 2006. Co-founded by angel investor David Cohen, this network has invested more than $3.5 billion in over one thousand companies including SendGrid, ClassPas...
Continue reading

Hammock swings from Rightside to MarkMonitor

Statton Hammock has joined brand protection registrar MarkMonitor as its new vice president of global policy and industry development. He was most recently VP of business and legal affairs at Rightside, the portfolio gTLD registry that got acquired by Donuts in July. He spent four years there. The new gig sounds like a broad brief. […]
Continue reading

Global Content Removals Based on Local Legal Violations – Where are we Headed?

CircleID CircleID: Excerpt from my Internet Law casebook discussing transborder content removal orders, including the Equustek case.

From the Internet's earliest days, the tension between a global communication network and local geography-based laws has been obvious. One scenario is that every jurisdiction's local laws apply to the Internet globally, meaning that the country (or sub-national regulator) with the most restrictive law for any content category sets the global standard for that content. If this scenario comes to pass, the Internet will only contain content that is legal in every jurisdiction in the world — a small fraction of the content we as Americans might enjoy, because many countries restrict content that is clearly legal in the U.S.

Perhaps surprisingly, we've generally avoided this dystopian scenario — so far. In part, this is because many major Internet services create localized versions of their offerings that conform to local laws, which allows the services to make country-by-country removals of locally impermissible content. Thus, the content on google.de might vary pretty substantially from the content on google.com. This localization undermines the 1990s utopian vision that the Internet would enable a single global content database that everyone in the world could uniformly enjoy. However, service localization has also forestalled more dire regulatory crises. So long as google.de complies with local German laws and google.com complies with local U.S. laws, regulators in the U.S. and Germany should be OK...right?

Increasingly, the answer appears to be "no." Google's response to the European RTBF rule has highlighted the impending crisis. In response to the RTBF requirement that search engines to remove certain search results associated with their names, initially Google only de-indexed results from its European indexes, i.e., Google would scrub the results from Google.de but not Google.com. However, European users of Google can easily seek out international versions of Google's search index. An enterprising European user could go to Google.com and obtain unscrubbed search results — and compare the search results with the localized edition of Google to see which results had been scrubbed.

The French Commission Nationale de l'Informatique et des Libertés (CNIL) has deemed this outcome unacceptable. As a result, it has demanded that Google honor an RTBF de-indexing request across all of its search indexes globally. In other words, if a French resident successfully makes a de-indexing request under European data privacy laws, Google should not display the removed result to anyone in the world, even searchers outside of Europe who are not subject to European law.

The CNIL's position is not unprecedented; other governmental agencies have made similar demands for the worldwide suppression of content they object to. However, the demand on Google threatens to break the Internet. Either Google must cease all of its French operations to avoid being subject to the CNIL's interpretation of the law, or it must give a single country the power to decide what content is appropriate for the entire world — which, of course, could produce conflicts with the laws of other countries.

Google proposed a compromise of removing RTBF results from its European indexes, and if a European attempts to log into a non-European version of Google's search index, Google will dynamically scrub the results it delivers to the European searcher. As a result, if the European searcher tries to get around the European censored results, he or she will still not see the full search results. (Of course, it would be easy to bypass Google's dynamic scrubbing using VPNs). CNIL has rejected Google's compromise as still unacceptable.

If CNIL gets its way, other governments with censorious impulses will demand equal treatment. But even Google's "compromise" solution — walling off certain information from being available in a country that seeks to censor that information — will be helpful to censors. In effect, the RTBF ruling forces Google to build a censorship infrastructure that regulators can coopt for other censorious purposes. Thus, either way, the resolution to the RTBF's geography conundrum provides a preview of the future of global censorship.

The Equustek Case

The local violation/global removal debate is taking place in other venues as well. In 2017, the Canada Supreme Court ordered Google to globally remove search results based on alleged Canadian legal violations. Google Inc. v. Equustek Solutions Inc., 2017 SCC 34.

In that case, Datalink, a competitor of Equustek, sold products that allegedly infringed Equustek's intellectual property rights. After Equustek sued Datalink, Datalink relocated to an unknown location outside of Canada, putting it out of the reach of Canadian courts. Equustek asked Google to deindex Datalink's website. Google partially deindexed the site from google.ca, but Equustek sought more relief. The Canada Supreme Court ordered global deindexing of Datalink's website:

The problem in this case is occurring online and globally. The Internet has no borders — its natural habitat is global. The only way to ensure that the interlocutory injunction attained its objective was to have it apply where Google operates — globally. As Fenlon J. found, the majority of Datalink's sales take place outside Canada. If the injunction were restricted to Canada alone or to google.ca, as Google suggests it should have been, the remedy would be deprived of its intended ability to prevent irreparable harm. Purchasers outside Canada could easily continue purchasing from Datalink's websites, and Canadian purchasers could easily find Datalink's websites even if those websites were de-indexed on google.ca. Google would still be facilitating Datalink's breach of the court's order which had prohibited it from carrying on business on the Internet....

The order does not require that Google take any steps around the world, it requires it to take steps only where its search engine is controlled....

This is not an order to remove speech that, on its face, engages freedom of expression values, it is an order to de-index websites that are in violation of several court orders....

This does not make Google liable for this harm. It does, however, make Google the determinative player in allowing the harm to occur.

The court noted that Google admitted it would be easy to deindex Datalink's domain name, and the court noted that Google regularly deindexes content for other reasons, such as the DMCA online safe harbor.

The court dismissed the risk of international conflicts-of-laws because everyone apparently accepted that Datalink would violate Equustek's IP rights under other countries' laws. However, the court was surprisingly unspecific about the alleged IP violations, which apparently included trademarks and trade secrets. Due to the ambiguities about the alleged IP violations, the court avoided some subtle IP issues, such as the scope of Equustek's trademark rights (usually trademark rights don't reach beyond a country's borders, so a Canadian court could not order a defendant to stop infringing trademark rights in other countries) and the likelihood that Canadian trade secret laws and remedies differ from the laws and remedies of other countries. See Ariel Katz, Google v. Equustek: Unnecessarily Hard Cases Make Unnecessarily Bad Law, ArielKatz.org, June 29, 2017.

Because the court sidestepped the international conflicts-of-laws issue, the Equustek case's facts do not implicate the more problematic situation where Datalink's content violates Canadian law but is legal in other countries, yet a Canadian court order under Canadian law prevents the content from being available in countries where it was legal. (The CNIL-demanded rule would reach this outcome, because RTBF-scrubbed content illegal in Europe would be almost certainly legal in the U.S.). The court said that Google could challenge the injunction in Canadian courts if the injunction violates other countries' laws — but will Google really spend substantial money and time to defend a third party content by going back to a Canadian court to adjudicate the content's legitimacy?

In response to the opinion, Canadian law professor Michael Geist wrote:

What happens if a Chinese court orders it to remove Taiwanese sites from the index? Or if an Iranian court orders it to remove gay and lesbian sites from the index? Since local content laws differ from country to country, there is a great likelihood of conflicts. That leaves two possible problematic outcomes: local courts deciding what others can access online or companies such as Google selectively deciding which rules they wish to follow. The Supreme Court of Canada did not address the broader implications of the decision, content to limit its reasoning to the need to address the harm being sustained by a Canadian company, the limited harm or burden to Google, and the ease with which potential conflicts could be addressed by adjusting the global takedown order. In doing so, it invites more global takedowns without requiring those seeking takedowns to identify potential conflicts or assess the implications in other countries.

Michael Geist, Global Internet Takedown Orders Come to Canada: Supreme Court Upholds International Removal of Google Search Results, MichaelGeist.ca, June 28, 2017.

Does the Equustek ruling mean that plaintiffs (both Canadian and non-Canadian) will flock to Canadian courts to sue non-Canadian defendants solely to get global deindexing orders?

Note that Equustek ruling (and the CNIL dispute) avoid an underlying jurisdictional issue because Google has substantial physical presence in both Canada and Europe. Would Canada or Europe have jurisdiction over an Internet service that operates exclusively from the United States?

I encourage you to do a thought exercise: project yourself 20 years in the future. What do you think will be the state of the law on global removals based on local violations? Do you think most countries will have embraced the Equustek approach broadly? If so, do you think the Internet (however you define it) will be better or worse as a result?

* * *

After I wrote this, Google sought legal relief in US courts from the Equustek ruling. For useful perspective on Google's move, read Daphne Keller's analysis.
Written by Eric Goldman, Professor, Santa Clara University School of LawFollow CircleID on TwitterMore under: Censorship, Internet Governance, Law, Policy & Regulation

The post Global Content Removals Based on Local Legal Violations – Where are we Headed? appeared first on iGoldRush Domain News and Resources.

Continue reading

Top 10 New gTLDs on iwantmyname (Sep 2017)

I Want My Name I Want My Name: .design

.club

.photography

.work

.website

.link

.studio

.cloud

.kiwi

.photo

Looking at the TLD stats (ranked by domains we have under management), a conclusion that could be drawn is that the new gTLDs are largely being adopted by the design/creative community. And it makes sense – as a freelance designer or photographer, finding a professional, identifiable domain name is one of your first major milestones. But most of the good .com’s and .co’s of the world are taken already, and buying one on the domain aftermarket can be a costly endeavor. So instead of .com, people are going with .design, .photography, .studio, .work, etc.
Seen another way though, the simplicity of setting up a portfolio site using our plugins might attract a particular sort of design-focused but dev-challenged individual (I definitely fall into that camp). Hard to say which view is true – my hope is both.

The post Top 10 New gTLDs on iwantmyname (Sep 2017) appeared first on iGoldRush Domain News and Resources.

Continue reading