After months of work, and spurred by an initial report by Professor Ted Byfield of New School University's Parsons New School for Design, we’re happy to report a security vulnerability fix in a product called Safe•Connect.
While the immediate story is good, the underlying context should raise real concerns about the dangers inherent in the ongoing obsession of Congress and the content industry with pressuring intermediaries, especially universities, to use their status as network operators to require individuals to install monitoring software like Safe•Connect on their computers in order to appease the content industry. As Stewart Baker, then the Department of Homeland Security’s policy czar warned during a similar incident involving the Sony Rootkit: "It’s very important to remember that it’s your intellectual property — it’s not your computer. And in the pursuit of protection of intellectual property, it’s important not to defeat or undermine the security measures that people need to adopt in these days."
Network administrators have been interested for years in software meant to enforce rules on other people's computers connected to a network – a technology called Network Access Control (NAC). NAC software runs as an agent on behalf of the network administrator, reporting back information about how the computer is configured, examining its security policies, and, in some cases, making changes. We might describe such software as spyware that network operators ask users to install on their computers, although the Safe•Connect system does not appear to be configured to report back on the content a user stores on his or her computer. Why do network operators want this power? There are many possible reasons, but, most often, it's aimed at making sure the network users have taken security precautions and applied software updates that the network operator considers necessary. Such enforcement software sometimes requires administrative privileges on the users' computer, and in any case its use raises serious questions about computer users' autonomy and right to control and make decisions about their own computers.
In an academic environment, the use of this software on non-university-owned computers — like the personal machines owned by students, teachers and campus visitors — is sometimes controversial. Although it might be used largely in users' own interest, especially when it helps remind less-sophisticated users to apply software upgrades they might otherwise neglect, it can also introduce security and privacy threats of its own. At a minimum, schools should examine this type of software skeptically and should give sophisticated users a way to opt out of installing it. Unfortunately, one source of pressure overshadowing universities' decision-making in this area lately has been Congressional attention to copyright enforcement.
While the RIAA has abandoned its ineffective litigation campaigns, it and the MPAA have increased their efforts to lobbying Congress, pressure intermediaries, and lobby Congress to pressure intermediaries to take every more draconian steps to try to stop copyright infringement. In particular, colleges and universities have always been popular targets for both Big Content and Congress. In addition to threatening letters, ill-advised lawsuits, and propaganda campaigns, anti-P2P zealots have embraced technological “solutions” such as Audible Magic’s CopySense. EFF’s technologists believe these technologies are fundamentally flawed: they are expensive, easily circumvented, and ultimately ineffective. However, the drumbeat coming from Congress may be deterring some universities from looking critically at these technologies, instead encouraging them to adopt quick fixes.
Safe•Connect Security Vulnerability
Enter Safe•Connect, a product developed by Impulse Point, LLC. Safe•Connect is one of a breed of NAC products, designed to keep private networks—particularly college and university networks— “clean.” Impulse Point markets Safe•Connect as capable of enforcing compliance with security policies set by the school’s network administrators. In addition to keeping student’s, teachers’ and campus visitors’ anti-virus software updated and their operating systems patched (security measures that users might be neglecting), the technology is marketed, and in some cases used by schools, to prevent those on campus from running certain peer-to-peer software over the school’s network resources. In other cases, the technology “warns” those on campus that are running P2P software, making sure they know that Big Brother is watching.
It was New School University’s requirement that students and faculty install Safe•Connect on their own computers that led Professor Byfield, a professor of Art, Media and Technology, to raise his initial concerns. Starting with Professor Byfield’s work, and especially curious about Impulse Point’s claimed ability to notify users about and block peer-to-peer systems, EFF and researchers at the University of Michigan started investigating. We obtained a copy of the Policy Key, the application from Safe•Connect that universities require each student, faculty or visitor to install on her personal computer before she is allowed access to the Internet over the university network. After a bit of reverse engineering, the researchers found that an older but widely-distributed version of the Policy Key would accept purported “updates” from a local server with no authentication. So a knowledgeable attacker, even on a non-university network, could pretend to be this server and substitute malicious software of their choice, disguised as Policy Key updates. That means users who ran this version of the Policy Key on their systems could be vulnerable to attacks from strangers even after leaving the universities that originally asked them to install it. This goes to show that asking people to install software just to be allowed onto a network can come with its own set of security risks, since bugs in that software constitute new ways onto users' machines. (The MacOS X Policy Key version also ran as root with improperly-set file permissions, which would let any other software on a MacOS system with the Policy Key installed gain administrative privileges and take over the system.)
Concerned about the thousands of students, faculty and campus visitors who—whether in the name of network security or intellectual property protection—were required to install and run vulnerable software, EFF and the researchers contacted Impulse Point. To their credit, the Safe•Connect developers responded promptly. They pointed out that the vulnerabilities had already been fixed in newer versions for returning students and staff, and they then delivered the security patch to their university network and other customers for those with past versions of the software that were still on their university networks. Impulse Point is also committed to implementing a plan to address those (such as graduating seniors, staff who have left and campus visitors) who were not otherwise likely to get automatic updates.
Bullet Dodged, But Underlying Problems Remain
Overall, we were pleased with Impulse Point’s openness, willingness to respond and speed with which they responded to us. It was a refreshing change from the hostility with which some technology companies respond to security vulnerabilities. We also have no reason to believe any of the identified vulnerabilities were ever exploited in the wild.
But the underlying problem remains: Big Content’s relentless crusade against P2P technology has unintended consequences. Just as the RIAA’s lawsuits embroiled a number of innocent people in expensive litigation and Congress’ DMCA takedown procedures often chill speech protected by fair use, these technological “solutions” can cause collateral damage. The pressure to require students, professors and campus visitors to install and run software on their computers as a way to “protect” the content industry is wrong, and can be dangerous. Even in the context of protecting network security, requiring everyone on campus to run programs that either run as root or can be adapted or manipulated from afar is troubling, but as a quixotic attempt to deter copyright infringement, it definitely goes too far.