Home / Blogs

Security is a System Property

There's lots of security advice in the press: keep your systems patched, use a password manager, don't click on links in email, etc. But there's one thing these adages omit: an attacker who is targeting you, rather than whoever falls for the phishing email, won't be stopped by one defensive measure. Rather, they'll go after the weakest part of your defenses. You have to protect everything — including things you hadn't realized were relevant. Security is a systems problem: everything matters, including the links between the components and even the people who use the system.

Passwords are a good illustration of this point. We all know the adage: "pick strong passwords". There are lots of things wrong with this and other simplistic advice with passwords, but we'll ignore most of them to focus on the systems problem. So: what attacks do strong passwords protect against?

The original impetus for this advice came from a 1979 paper by Bob Morris and Ken Thompson. (Morris later became Chief Scientist of the NSA's National Computer Security Center; Thompson is one of the creators of Unix.) When you read it carefully, you realize that strong passwords guard against exactly two threats: someone who tries to login as you, and someone who has hacked the remote site and is trying to guess your password. But strong passwords do nothing if your computer (in those days, computer terminal...) is hacked, or if the line is tapped, or if you're lured to a phishing site and send your password, in the clear, to an enemy site. To really protect your password, then, you need to worry about all of those factors and more.

It's worth noting that Morris and Thompson understood this thoroughly. Everyone focuses on the strong password part, and — if they're at least marginally competent — on password salting and hashing, but few people remember this quote, from the first page of the paper:

Remote-access systems are peculiarly vulnerable to penetration by outsiders as there are threats at the remote terminal, along the communications link, as well as at the computer itself. Although the security of a password encryption algorithm is an interesting intellectual and mathematical problem, it is only one tiny facet of a very large problem. In practice, physical security of the computer, communications security of the communications link, and physical control of the computer itself loom as far more important issues. Perhaps most important of all is control over the actions of ex-employees, since they are not under any direct control and they may have intimate knowledge about the system, its resources, and methods of access. Good system security involves realistic evaluation of the risks not only of deliberate attacks but also of casual authorized access and accidental disclosure.

(True confession: I'd forgotten that they noted the scope of the problem, perhaps because I first read that paper when it originally appeared.)

I bring this up now because of some excellent reporting about hacking and the 2016 election. Voting, too, is a system — it's not just voting machines that are targets, but rather, the entire system. This encompasses registration, handling of the "poll books" — which may themselves be computerized — the way that poll workers sign in voters, and more. I'll give an example, from the very first time I could vote in a presidential election: the poll workers couldn't find my registration card. I was sent off to a bank of phones to try to call the county election board. The board had far too few phone lines, so I kept getting busy signals, all the while thinking nasty thoughts about attempts to keep Yankees (I'd just moved to North Carolina) and students (I was there for grad school) from voting.

Think of all of the system pieces in just that part of the election. There was the poll worker — was she honest? There was the election book, and whatever processes, mechanisms, software, or people had gone into compiling it. There was the phone bank I was using, the phone network, the phones at the election board, the people there, and their backend systems that had a master copy of the election roll. My story had a happy ending — the poll worker kept checking, and found that my card has been misalphabetized — but if an analogous problem happened today with an electronic poll book, it's hard to see how the poll worker's diligence could have resolved it. (For other interesting systems aspects of voting, including issues with poll books, see an old blog post of mine.)

The systems aspect of voting is apparent to some, of course, including the New York Times reporters who are covering the hacking story:

Michael Wines, who covers election issues for the Times, said that what stood out to him was the vulnerability of the nation's vast Rube Goldberg election system. Elections, he explained, "are run by understaffed, underfinanced and sometimes undertrained local officials, serviced by outside contractors who may or may not be well vetted, conducted with equipment and software that may or may not be secure." [emphasis added]

Almost all security problems are system problems; beware of people who try to sell you simplistic, point solutions. It's not that these solutions are wrong; rather, they have to be examined for their role in securing the system. Consider HTTPS — encrypted — web connections. Unless you're being targeted by law enforcement or a major intelligence agency, the odds of your connection being tapped on the backbone are vanishingly small. However, it's trivial to tap someone's WiFi connection if you're on the same net as them, e.g., in a public hotspot. So — it's a good idea to encrypt web pages, but if the environment is strictly controlled LAN to controlled LAN, that should be far down on your list of security priorities. And remember: encrypting one link does not solve any of the many other vulnerable points in your system.

By Steven Bellovin, Professor of Computer Science at Columbia University – Bellovin is the co-author of Firewalls and Internet Security: Repelling the Wily Hacker, and holds several patents on cryptographic and network protocols. He has served on many National Research Council study committees, including those on information systems trustworthiness, the privacy implications of authentication technologies, and cybersecurity research needs. Visit Page

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet


 Be the first to post a comment!

Add Your Comments

 To post your comments, please login or create an account.




Sponsored byVerisign

Brand Protection

Sponsored byAppdetex

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign


Sponsored byThreat Intelligence Platform


Sponsored byWhoisXML API