Software Infrastructure for
Electronic Commerce
Professor Fred B. Schneider
Dept. of Computer Science
Cornell University
Networked Computing Systems

Provide opportunities …
– Increase speed/bandwidth of interaction.
– New modes for interaction for customers.
– New services.

Introduce risks ...
– System development cost and timing.
– Dependence on hardware/software.
1
This week: CS lectures


Learn vocabulary and basic concepts for ecommerce relevant concepts and
technologies.
Build intuitions for using concepts and for
evaluating relevant technologies.
Where are the opportunities today? Tomorrow?

Acquire technology skepticism.
Where are the risks today? Tomorrow?
2
Intended Audience
You are
– business-oriented person with strong interest in
roles of computer and communications
technology,
– user of computer applications (e.g. word, excel)
but don’t know how to program,
– casual “surfer” of the internet (web) for
information and/or purchases,
– and have not taken CS513, CS514, CS432, or
CS632.
3
Lecturer Backgrounds
We are
– academic computer scientists who
teach, research, and write,
– with industrial experience:
Consulting to management.
Running “start-ups” (2 on-going; 1
sold).
CEO, CTO, chief scientist, tech advisory
boards, etc.
4
Lecturers
Fred B. Schneider (Computer security)
fbs@cs.cornell.edu
4115C Upson Hall
255-9221
Ken Birman (Networks/Reliability)
ken@cs.cornell.edu
4119B Upson Hall
255-9199
Johannes Gehrke (Databases/data mining)
johannes@cs.cornell.edu
4108 Upson Hall
255-1045
5
Trustworthy Networked
Information Systems
All about the non-technical context
for this technical subject.
Networked Information Systems
Networked Information System (NIS) integrates
– computers,
– communications, and
– people (as users and as operators).
Distinguishing characteristics:
– Many interfaces to other systems.
– Commercial off-the-shelf (COTS) hardware + software.
– Extensible system components.
7
A Trustworthy NIS
Works correctly, despite
–
–
–
–
environmental disruption,
human user and operator errors,
hostile attacks, and
design and implementation errors.
Holistic and multidimensional problem:
– Property of system, not just components.
– Involves many interacting sub-properties.
8
NIS software characteristics

Substantial legacy content.
– Documentation missing or incomplete.
– Difficult to modify or port.

Grows by accretion and agglomeration.
– No master plan or architect.
… Nobody understands how/why the system works.

Uses commercial off the shelf (COTS)
components and COTS middleware:
Reduces costs and risks.
Increases labor pool.
Facilitates interoperability.
Limited internals visibility / capacity for change.
Dependence on 3rd party.
9
Some relevant business trends



Organizations driven to operate faster / more
efficiently (e.g. JIT production and services).
Climate of deregulation (e.g. power, telecom)
promotes cost control and product
enhancements.
Rise of electronic commerce.
10
NIS as a response
NIS affects costs and products:


Enables outsourcing of suppliers. (b2b)
Enables diminishing capacity cushion.
Control is more difficult --- need automated support.
Control is more necessary --- don’t have spare capacity.
But cascading failures more likely.

Enables product enhancements, but complexity
is increased so result is flaws and surprising
behavior.
11
Two Case Studies


Public switched telephone network (PTN)
Internet
12
Changes in the PTN

Old model: Few telephone companies;
regulated monopoly.
–
–

Limited cost pressure.
Comparatively few services
New model: Many telephone companies;
freely compete.
–
–
Intense cost pressure stress facilities.
Many services, for marketing and interworking.
13
Redundancy in the PTN

Laying cable involves high cost per mile.
–
–
Carry more calls per cable; cut costs.
Fewer cables: less backup; more circuits
interrupted by each incident.
So, companies lease circuits from each
other.
–

Less aggregate spare capacity than appears
at first glance.
Central offices are expensive -- land,
auxiliary equipment, etc.
So, fewer CO’s; each one is larger.
14
New Services in the PTN

New services introduced for differential
advantage…
… but now more complexity in the network.

Must interoperate with other telco’s.
–

Check databases; hand off calls to proper carrier, etc.
Again, more complexity.
Newer equipment (cross-connects, muxes) are
software-controlled.
–
Requires authorization.
15
Many Telephone Companies

Past: Switches and protocols were
designed under assuming few trustworthy
telcos.


No firewalls exist for “SS7”.
Today: Anyone can be a phone company,
inexperience matters even more than
malice.
16
State of the Internet
The Internet has always had many ISPs.



No one has a complete view of network state.
Engineering is hard; problems tend to occur at
the seams.
Cluelessness abounds.
17
Routing Issues

Tension responsiveness versus instability
during changes.
–


Configuration errors increase “flapping” rate.
Routing protocols are insecure.
–
Errors have already disrupted routing.
–
Attacker could reroute traffic deliberately.
Need QoS-sensitive routing mechanisms.
18
General Internet Security


Pretty bad…
Some problems due to lack of cryptography.
–
–

IP spoofing, password “sniffing”, etc.
IPSEC deployment should help this.
Most problems due to buggy code.
–
Cryptography won’t help this at all.
–
Reported bugs are in cryptographic modules.
19
Everything is Interconnected



Phone and power companies use Internet
technology.
Their operational systems are linked to their
corporate systems, which are linked to the
Internet.
And the Internet requires power, and is largely
built on top of PTN circuits.
20
What about Internet Telephony?



Many PTN-specific vulnerabilities (links, databases, etc.)
will remain.
New reliance on IP routing, rather than PTN routing.
New database needed, to map phone numbers to IP
addresses.
Harder to move control functions out-of-band on the
Internet.
21
What if NIS is not trustworthy ...

Information disclosure (stored or transmitted)
– personal embarrassment
– compromise of corporate strategy
– compromise of national security

Information alteration
– affect government or corporate operations

New forms of warfare
– disable capacity without physical destruction.
– attack without physical penetration by attacker.
– “time bomb” and undetectable attacks.
22
Why isn’t NIS trustworthy? Cost!

COTS is cheaper than custom
– Time-to-market determines market share.
– COTS producers believe:
Customers prefer features to trustworthiness.
Adding trustworthiness increases time-to-market.

Must use existing communications fabrics.
– Few can shoulder the burden of laying cable.
– Existing services (PSTN, Internet) not well suited for
NIS trustworthiness.
23
Costs / Trustworthiness could change

Moore’s Law:
– Semiconductor density doubles every 18-24 months.


COTS predominance implies trustworthiness
investments can be highly leveraged.
Communications fabrics likely to undergo radical
changes in coming years:
– growth in cable, satellite, cellular.
– new pricing for new services.
24
Why invest in trustworthiness?

To manage risk!
– Need: probabilities and costs of breaches.
… Security risks more difficult to identify and quantify
than those that arise for reliability.
– Clear trend: migration from risk avoidance to
risk management?

To create new market opportunities:
– Fed Exp, Banking, e-commerce b2b/b2p
25
Won’t market solve this problem?
No.
 Few customers understand:
What trustworthiness buys.
What is risked by its absence.
(Reliability is an exception: strong market here.)
Consumers seem to prefer functionality!

Producers/consumers cannot assess:
Trustworthiness of products.
Costs of having trustworthiness in products.
Costs of not having trustworthiness in products.
26
Conveying product trustworthiness
No solution in sight or expected...
 Identifying metrics for reliability is realistic.

Identifying metrics for security is misguided.

What about standards/criteria/specifications?
• Process (e.g. SEI CMM, ISO 9000).
• Artifact (Good Housekeeping seal, Consumer Union, …).
– Cannot keep pace with evolving threats.
– Cannot keep pace with product development cycle.
– Evaluated products not good enough… Glue is important.
27
Functionality versus Assurance
What does the rating convey?
Functionality: What it does.
Assurance: Confidence that that is what it does.
Conservative
Assurance
Danger
Functionality
28
Cryptography: Political and Technical

Most security problems due to buggy code.

Inhibitory factors to deployment:
–
–
–
–
–
–
Government regulations (but they are changing!).
Reduced convenience and usability.
Sacrifice interoperability (e.g. email).
Increased computation/communication requirements.
Lack of existing infrastructure.
Patent restrictions (notable expirations in Fall ‘00).
29
For Further Reading
Read
Executive summary
Chapters 1 and 6
of:
Trust in Cyberspace, National Academy Press, (1999). It
can be found at: http://www.nap.edu/readingroom/books/trust
30