Software Infrastructure for Electronic Commerce Professor Fred B. Schneider Dept. of Computer Science Cornell University Networked Computing Systems Provide opportunities … – Increase speed/bandwidth of interaction. – New modes for interaction for customers. – New services. Introduce risks ... – System development cost and timing. – Dependence on hardware/software. 1 This week: CS lectures Learn vocabulary and basic concepts for ecommerce relevant concepts and technologies. Build intuitions for using concepts and for evaluating relevant technologies. Where are the opportunities today? Tomorrow? Acquire technology skepticism. Where are the risks today? Tomorrow? 2 Intended Audience You are – business-oriented person with strong interest in roles of computer and communications technology, – user of computer applications (e.g. word, excel) but don’t know how to program, – casual “surfer” of the internet (web) for information and/or purchases, – and have not taken CS513, CS514, CS432, or CS632. 3 Lecturer Backgrounds We are – academic computer scientists who teach, research, and write, – with industrial experience: Consulting to management. Running “start-ups” (2 on-going; 1 sold). CEO, CTO, chief scientist, tech advisory boards, etc. 4 Lecturers Fred B. Schneider (Computer security) fbs@cs.cornell.edu 4115C Upson Hall 255-9221 Ken Birman (Networks/Reliability) ken@cs.cornell.edu 4119B Upson Hall 255-9199 Johannes Gehrke (Databases/data mining) johannes@cs.cornell.edu 4108 Upson Hall 255-1045 5 Trustworthy Networked Information Systems All about the non-technical context for this technical subject. Networked Information Systems Networked Information System (NIS) integrates – computers, – communications, and – people (as users and as operators). Distinguishing characteristics: – Many interfaces to other systems. – Commercial off-the-shelf (COTS) hardware + software. – Extensible system components. 7 A Trustworthy NIS Works correctly, despite – – – – environmental disruption, human user and operator errors, hostile attacks, and design and implementation errors. Holistic and multidimensional problem: – Property of system, not just components. – Involves many interacting sub-properties. 8 NIS software characteristics Substantial legacy content. – Documentation missing or incomplete. – Difficult to modify or port. Grows by accretion and agglomeration. – No master plan or architect. … Nobody understands how/why the system works. Uses commercial off the shelf (COTS) components and COTS middleware: Reduces costs and risks. Increases labor pool. Facilitates interoperability. Limited internals visibility / capacity for change. Dependence on 3rd party. 9 Some relevant business trends Organizations driven to operate faster / more efficiently (e.g. JIT production and services). Climate of deregulation (e.g. power, telecom) promotes cost control and product enhancements. Rise of electronic commerce. 10 NIS as a response NIS affects costs and products: Enables outsourcing of suppliers. (b2b) Enables diminishing capacity cushion. Control is more difficult --- need automated support. Control is more necessary --- don’t have spare capacity. But cascading failures more likely. Enables product enhancements, but complexity is increased so result is flaws and surprising behavior. 11 Two Case Studies Public switched telephone network (PTN) Internet 12 Changes in the PTN Old model: Few telephone companies; regulated monopoly. – – Limited cost pressure. Comparatively few services New model: Many telephone companies; freely compete. – – Intense cost pressure stress facilities. Many services, for marketing and interworking. 13 Redundancy in the PTN Laying cable involves high cost per mile. – – Carry more calls per cable; cut costs. Fewer cables: less backup; more circuits interrupted by each incident. So, companies lease circuits from each other. – Less aggregate spare capacity than appears at first glance. Central offices are expensive -- land, auxiliary equipment, etc. So, fewer CO’s; each one is larger. 14 New Services in the PTN New services introduced for differential advantage… … but now more complexity in the network. Must interoperate with other telco’s. – Check databases; hand off calls to proper carrier, etc. Again, more complexity. Newer equipment (cross-connects, muxes) are software-controlled. – Requires authorization. 15 Many Telephone Companies Past: Switches and protocols were designed under assuming few trustworthy telcos. No firewalls exist for “SS7”. Today: Anyone can be a phone company, inexperience matters even more than malice. 16 State of the Internet The Internet has always had many ISPs. No one has a complete view of network state. Engineering is hard; problems tend to occur at the seams. Cluelessness abounds. 17 Routing Issues Tension responsiveness versus instability during changes. – Configuration errors increase “flapping” rate. Routing protocols are insecure. – Errors have already disrupted routing. – Attacker could reroute traffic deliberately. Need QoS-sensitive routing mechanisms. 18 General Internet Security Pretty bad… Some problems due to lack of cryptography. – – IP spoofing, password “sniffing”, etc. IPSEC deployment should help this. Most problems due to buggy code. – Cryptography won’t help this at all. – Reported bugs are in cryptographic modules. 19 Everything is Interconnected Phone and power companies use Internet technology. Their operational systems are linked to their corporate systems, which are linked to the Internet. And the Internet requires power, and is largely built on top of PTN circuits. 20 What about Internet Telephony? Many PTN-specific vulnerabilities (links, databases, etc.) will remain. New reliance on IP routing, rather than PTN routing. New database needed, to map phone numbers to IP addresses. Harder to move control functions out-of-band on the Internet. 21 What if NIS is not trustworthy ... Information disclosure (stored or transmitted) – personal embarrassment – compromise of corporate strategy – compromise of national security Information alteration – affect government or corporate operations New forms of warfare – disable capacity without physical destruction. – attack without physical penetration by attacker. – “time bomb” and undetectable attacks. 22 Why isn’t NIS trustworthy? Cost! COTS is cheaper than custom – Time-to-market determines market share. – COTS producers believe: Customers prefer features to trustworthiness. Adding trustworthiness increases time-to-market. Must use existing communications fabrics. – Few can shoulder the burden of laying cable. – Existing services (PSTN, Internet) not well suited for NIS trustworthiness. 23 Costs / Trustworthiness could change Moore’s Law: – Semiconductor density doubles every 18-24 months. COTS predominance implies trustworthiness investments can be highly leveraged. Communications fabrics likely to undergo radical changes in coming years: – growth in cable, satellite, cellular. – new pricing for new services. 24 Why invest in trustworthiness? To manage risk! – Need: probabilities and costs of breaches. … Security risks more difficult to identify and quantify than those that arise for reliability. – Clear trend: migration from risk avoidance to risk management? To create new market opportunities: – Fed Exp, Banking, e-commerce b2b/b2p 25 Won’t market solve this problem? No. Few customers understand: What trustworthiness buys. What is risked by its absence. (Reliability is an exception: strong market here.) Consumers seem to prefer functionality! Producers/consumers cannot assess: Trustworthiness of products. Costs of having trustworthiness in products. Costs of not having trustworthiness in products. 26 Conveying product trustworthiness No solution in sight or expected... Identifying metrics for reliability is realistic. Identifying metrics for security is misguided. What about standards/criteria/specifications? • Process (e.g. SEI CMM, ISO 9000). • Artifact (Good Housekeeping seal, Consumer Union, …). – Cannot keep pace with evolving threats. – Cannot keep pace with product development cycle. – Evaluated products not good enough… Glue is important. 27 Functionality versus Assurance What does the rating convey? Functionality: What it does. Assurance: Confidence that that is what it does. Conservative Assurance Danger Functionality 28 Cryptography: Political and Technical Most security problems due to buggy code. Inhibitory factors to deployment: – – – – – – Government regulations (but they are changing!). Reduced convenience and usability. Sacrifice interoperability (e.g. email). Increased computation/communication requirements. Lack of existing infrastructure. Patent restrictions (notable expirations in Fall ‘00). 29 For Further Reading Read Executive summary Chapters 1 and 6 of: Trust in Cyberspace, National Academy Press, (1999). It can be found at: http://www.nap.edu/readingroom/books/trust 30