Flaws in 'Internet SAFETY' bill

The long view of security strategies for your network.

Friend and colleague Robert Gezelter points to serious deficiencies in the thinking behind legislation currently under consideration in the House and Senate. The remaining text is entirely Bob's with minor edits.

* * *

In February, Sen. John Cornyn (R-Texas) introduced the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2009” (referred to as the “Internet SAFETY Act”). Rep. Lamar Smith (R-Texas) introduced a parallel resolution in the House of Representatives.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Friend and colleague Robert Gezelter points to serious deficiencies in the thinking behind legislation currently under consideration in the House and Senate. The remaining text is entirely Bob's with minor edits.

* * *

In February, Sen. John Cornyn (R-Texas) introduced the “Internet Stopping Adults Facilitating the Exploitation of Today’s Youth Act of 2009” (referred to as the “Internet SAFETY Act”). Rep. Lamar Smith (R-Texas) introduced a parallel resolution in the House of Representatives.

Both measures amend 18 USC §2703 and require that “A provider of an electronic communications service or remote computing service shall retain for a period of at least two years all records or other information pertaining to the identity of a temporarily assigned network address the service assigns to that user.”

Taken broadly, as some legal commentators have concluded, such requirements extend beyond the level of commercial ISPs and ensnare everyone who operates a Wi-Fi hot-spot or firewall, requiring every home or small business to become a long-term custodian of network logging data.

This requirement has problems of technical feasibility and accuracy. It may create both a surveillance hazard and a subpoena target.

The proposed legislation presumes the use of a network protocol suite that uses hardware MAC addresses, such as the IP suite. There are serious technical issues. Dynamic addresses are typically managed using Dynamic Host Configuration Protocol (DHCP). However, IP address assignment can also be done dynamically without any centralized authority under Microsoft’s “Automatic IP Addressing” (AIPA). DHCP servers issue “Leases” to requesting machines on specific IP addresses for a specified period of time, subject to renewal.

The association managed by either scheme depends on associating an IP address with an IEEE 802.3 MAC address. Although all IEEE 802.3 interfaces have a default hardware MAC address, the default is not always used by software. MAC addresses were never intended as non-forgeable machine serial numbers, and indeed MAC address spoofing (forging) and related attacks are well-known security hazards. MAC addresses are not a non-repudiable identifier.

Thus, it is quite possible to assume a DHCP lease without any knowledge of the original lessor. When the original lessor is seen to cease operation, the pretender merely assumes the mantle of the original MAC address and continues to use the network.

A second, far more serious problem is time correlation. Log records are reliable only if the timeline recorded in different logs can be correlated to a common clock. Tracking an Internet connection to a given address on one side of a firewall is useful only if it can be determined precisely which address on the far side of the firewall corresponded to that connection (in IP, the port number) at that precise time. Thus, TCP port 8465 may point to one address at 12:00:15 and to a different address at 12:00:30. Absent precisely correlated logs, which connection is the one of interest is not easily determined.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.