310 likes | 450 Views
Software Infrastructure for Electronic Commerce. Professor Fred B. Schneider Dept. of Computer Science Cornell University. Networked Computing Systems . Provide opportunities … Increase speed/bandwidth of interaction. New modes for interaction for customers. New services.
E N D
Software Infrastructure for Electronic Commerce Professor Fred B. Schneider Dept. of Computer Science Cornell University
Networked Computing Systems • Provide opportunities … • Increase speed/bandwidth of interaction. • New modes for interaction for customers. • New services. • Introduce risks ... • System development cost and timing. • Dependence on hardware/software.
This week: CS lectures • Learn vocabulary and basic concepts for e-commerce relevant concepts and technologies. • Build intuitions for using concepts and for evaluating relevant technologies. Where are the opportunities today? Tomorrow? • Acquire technology skepticism. Where are the risks today? Tomorrow?
Intended Audience You are • business-oriented person with strong interest in roles of computer and communications technology, • user of computer applications (e.g. word, excel) but don’t know how to program, • casual “surfer” of the internet (web) for information and/or purchases, • and have not taken CS513, CS514, CS432, or CS632.
Lecturer Backgrounds We are • academic computer scientists who teach, research, and write, • with industrial experience: • Consulting to management. • Running “start-ups” (2 on-going; 1 sold). • CEO, CTO, chief scientist, tech advisory boards, etc.
Lecturers Fred B. Schneider (Computer security) fbs@cs.cornell.edu 4115C Upson Hall 255-9221 Ken Birman (Networks/Reliability) ken@cs.cornell.edu 4119B Upson Hall 255-9199 Johannes Gehrke (Databases/data mining) johannes@cs.cornell.edu 4108 Upson Hall 255-1045
Trustworthy Networked Information Systems All about the non-technical context for this technical subject.
Networked Information Systems Networked Information System (NIS) integrates • computers, • communications, and • people (as users and as operators). Distinguishing characteristics: • Many interfaces to other systems. • Commercial off-the-shelf (COTS) hardware + software. • Extensible system components.
A Trustworthy NIS Works correctly, despite • environmental disruption, • human user and operator errors, • hostile attacks, and • design and implementation errors. Holistic and multidimensional problem: • Property of system, not just components. • Involves many interacting sub-properties.
NIS software characteristics • Substantial legacy content. • Documentation missing or incomplete. • Difficult to modify or port. • Grows by accretion and agglomeration. • No master plan or architect. … Nobody understands how/why the system works. • Uses commercial off the shelf (COTS) components and COTS middleware: • Reduces costs and risks. • Increases labor pool. • Facilitates interoperability. • Limited internals visibility / capacity for change. • Dependence on 3rd party.
Some relevant business trends • Organizations driven to operate faster / more efficiently (e.g. JIT production and services). • Climate of deregulation (e.g. power, telecom) promotes cost control and product enhancements. • Rise of electronic commerce.
NIS as a response NIS affects costs and products: • Enables outsourcing of suppliers. (b2b) • Enables diminishing capacity cushion. • Control is more difficult --- need automated support. • Control is more necessary --- don’t have spare capacity. • But cascading failures more likely. • Enables product enhancements, butcomplexityis increased so result is flaws and surprising behavior.
Two Case Studies • Public switched telephone network (PTN) • Internet
Changes in the PTN • Old model: Few telephone companies; regulated monopoly. • Limited cost pressure. • Comparatively few services • New model: Many telephone companies; freely compete. • Intense cost pressure stress facilities. • Many services, for marketing and interworking.
Redundancy in the PTN • Laying cable involves high cost per mile. • Carry more calls per cable; cut costs. • Fewer cables: less backup; more circuits interrupted by each incident. So, companies lease circuits from each other. • Less aggregate spare capacity than appears at first glance. • Central offices are expensive -- land, auxiliary equipment, etc. So, fewer CO’s; each one is larger.
New Services in the PTN • New services introduced for differential advantage… … but now more complexity in the network. • Must interoperate with other telco’s. • Check databases; hand off calls to proper carrier, etc. Again, more complexity. • Newer equipment (cross-connects, muxes) are software-controlled. • Requires authorization.
Many Telephone Companies • Past: Switches and protocols were designed under assuming few trustworthy telcos. • No firewalls exist for “SS7”. • Today: Anyone can be a phone company, inexperience matters even more than malice.
State of the Internet The Internet has always had many ISPs. • No one has a complete view of network state. • Engineering is hard; problems tend to occur at the seams. • Cluelessness abounds.
Routing Issues • Tension responsiveness versus instability during changes. • Configuration errors increase “flapping” rate. • Routing protocols are insecure. • Errors have already disrupted routing. • Attacker could reroute traffic deliberately. • Need QoS-sensitive routing mechanisms.
General Internet Security • Pretty bad… • Some problems due to lack of cryptography. • IP spoofing, password “sniffing”, etc. • IPSEC deployment should help this. • Most problems due to buggy code. • Cryptography won’t help this at all. • Reported bugs are in cryptographic modules.
Everything is Interconnected • Phone and power companies use Internet technology. • Their operational systems are linked to their corporate systems, which are linked to the Internet. • And the Internet requires power, and is largely built on top of PTN circuits.
What about Internet Telephony? • Many PTN-specific vulnerabilities (links, databases, etc.) will remain. • New reliance on IP routing, rather than PTN routing. New database needed, to map phone numbers to IP addresses. • Harder to move control functions out-of-band on the Internet.
What if NIS is not trustworthy ... • Information disclosure (stored or transmitted) • personal embarrassment • compromise of corporate strategy • compromise of national security • Information alteration • affect government or corporate operations • New forms of warfare • disable capacity without physical destruction. • attack without physical penetration by attacker. • “time bomb” and undetectable attacks.
Why isn’t NIS trustworthy? Cost! • COTS is cheaper than custom • Time-to-market determines market share. • COTS producers believe: • Customers prefer features to trustworthiness. • Adding trustworthiness increases time-to-market. • Must use existing communications fabrics. • Few can shoulder the burden of laying cable. • Existing services (PSTN, Internet) not well suited for NIS trustworthiness.
Costs / Trustworthiness could change • Moore’s Law: • Semiconductor density doubles every 18-24 months. • COTS predominance implies trustworthiness investments can be highly leveraged. • Communications fabrics likely to undergo radical changes in coming years: • growth in cable, satellite, cellular. • new pricing for new services.
Why invest in trustworthiness? • To manage risk! • Need: probabilities and costs of breaches. … Security risks more difficult to identify and quantify than those that arise for reliability. • Clear trend: migration from risk avoidance to risk management? • To create new market opportunities: • Fed Exp, Banking, e-commerce b2b/b2p
Won’t market solve this problem? No. • Few customers understand: • What trustworthiness buys. • What is risked by its absence. (Reliability is an exception: strong market here.) • Consumers seem to prefer functionality! • Producers/consumers cannot assess: • Trustworthiness of products. • Costs of having trustworthiness in products. • Costs of not having trustworthiness in products.
Conveying product trustworthiness No solution in sight or expected... • Identifying metrics for reliability is realistic. • Identifying metrics for security is misguided. • What about standards/criteria/specifications? • Process (e.g. SEI CMM, ISO 9000). • Artifact (Good Housekeeping seal, Consumer Union, …). • Cannot keep pace with evolving threats. • Cannot keep pace with product development cycle. • Evaluated products not good enough… Glue is important.
Functionality versus Assurance What does the rating convey? Functionality: What it does. Assurance: Confidence that that is what it does. Conservative Assurance Danger Functionality
Cryptography: Political and Technical • Most security problems due to buggy code. • Inhibitory factors to deployment: • Government regulations (but they are changing!). • Reduced convenience and usability. • Sacrifice interoperability (e.g. email). • Increased computation/communication requirements. • Lack of existing infrastructure. • Patent restrictions (notable expirations in Fall ‘00).
For Further Reading Read • Executive summary • Chapters 1 and 6 of: Trust in Cyberspace, National Academy Press, (1999). It can be found at:http://www.nap.edu/readingroom/books/trust