David Bozzini, Sylvain Besençon, University of Fribourg
Introduction
We embarked into our exploration of the computer security fabric in focusing on a peculiar type of events unfolding everyday in the information security (infosec) community: the disclosure of computer vulnerabilities. Vulnerabilities in software may allow unauthorized access to digital systems, which is a major threat for developers, vendors and of course users. A wide range of issues is at stake, could it be the credibility of a company, the security of all kinds of operations and transactions, the confidentiality of data and the privacy of our (digital) lives, and many more. In few words, we are looking at how and to whom security researchers, academics and hackers are disclosing their findings – i.e. “bugs” compromising a digital system or service – when they are disclosing them.
A vulnerability can be disclosed privately to a company prior to be publicly announced. In this case, it is often called a “responsible” or a“coordinated disclosure” since the developersteam can fix the bug before theresearcher willpresent his/herfinding to a larger audience.Orthe “vuln”can be publicly disclosed on social networks or online platforms. Then, experts talk about “full disclosure”, that can potentially create a serious threat considering that the existing flaw could be used to compromise the vulnerable system or service1. We are documenting both cases of disclosure in our project.
In accounting for practices of vulnerability disclosure in computer security, our objective is to analyzethe complex and dynamic relationships involved in the making of computer security. Vulnerability disclosuresare sensitive processesengaging various actors negotiating several aspects of what unfold as a crisis whose proportion can vary from the distress of a handful of hyper-specialized experts to a full-blown scandal involving majors companies of the digital economy. In any case, a disclosure process, the actions taken by concerned parties and the discussions related to it, may take a worldwide dimension in few hours and sometimes for several years, involving many different actors around the globe.
To observe parts of disclosure processes, to approach a new research environment for the first time, and to get in touch with our research participants, wedecided to attend several “hacker” and “cybersecurity”2conferences in Europe and in North America. In addition, we are collecting data online about the disclosureswe follow3.With no surprise, this initial fieldwork approach proved to be too narrow. We noticed quickly that disclosures are processes far more complex than what we can witness attending even a fair amount of conferences in a couple of continents. On the same line, the digital ethnography we devised and its role in accounting for disclosure processes were too short-sighted: rather than a simple event happening in a specific time and place – be it online or offline – vulnerability disclosures are often a discontinued and lengthy process that can happen simultaneously in different locations and for various duration. This assessment forced us to reconsider the nature of our empirical research and in particular its location(s). It also helped us refine our ethnographic approach in order to grasp the complexity of the diffuse and meandrous processes as we caught sight of them.
What follows is the inception of a cogitation on the nature of our ethnographic exploration of computer security practices taking a particular disclosure as a case in point to draw some preliminary thoughts on the locations and the temporality of our ethnography.Considering the scope of this short piece, we limited our description of a particular disclosure to a short timeline that highlights the way it unfolded rather than to delve into the details of the actual controversies it caused.
The trajectory of a vulnerability named EFAIL
EFAIL is the name given to a series of vulnerabilities that affect two end-to-end email encryption protocols: OpenPGP and S/MIME4. We chose this example not because it is representative of a usual vulnerability disclosure – it is not. We chose it rather because the controversies around it revealed various areas of frictions that highlighted some general disagreements regarding the management of vulnerability disclosure. What follows presents the EFAIL disclosure process divided in four ethnographic descriptions of four public discussions of the vulnerability. We named these descriptions “ethnographic planes” instead of more common descriptors in anthropology such as events, sites, phases, arenas, processes, etc. for reasons we discuss later and which constitute the ongoing reflection presented in this paper.
Plane 1 - The messed up public disclosure. For a few days in May 2018, most the attention of the IT security crowd seemed to be devoted to an enigmatic announcement released jointly by a team of researchers led by Professor Sebastian Schinzel and the Electronic Frontier Foundation (EFF): on May 13, 2018, at 11pm (in Germany), Schinzel tweeted that his team found a series of critical vulnerabilities in email encryption protocols against which there were no reliable fixes available5. The tweet announced that the full details will be made public two days later. The tweet also provided a link to an EFF’s blog post6with some advice to mitigate this until it would be definitely fixed. Following this announcement, many people started to debate about the issue itself on Twitter, in forums and mailing lists, even though the full details were not yet available. The day after the announcement and prior to the planned release date, details about the vulnerability leaked7. What followed was a chaotic situation that forced the EFAIL researchers to expedite the official disclosure of the full paper that had already be spread out. Several articles in specialist and generalist newspapers, websites and blogs were published immediately after, hyping even more the controversial issues about the nature of the vulnerabilities and how it has been disclosed8. The rough reaction to the announcement unfolded several dimensions: some people claimed that this series of vulnerabilities was nothing new because email encryption was dead for years because the protocols use old cryptographic schemes, while others were accusing the researchers of putting journalists and political activists at risk by announcing an unpatched vulnerability on protocols they use and need without giving usable solutions. There were also many critics about the fact that the researchers gave the vulnerability a name, a website and even a logo, which is certainly useful to publicize the findings but does no good to the security, according to these critical voices. Debates raged for nearly two weeks in the several online platforms we tracked before slowly fading away.
Plane2 -theIETFOpenPGP working groupmailing list.The Internet Engineering Task Force (IETF) is the organization responsible for the standardization of many internet protocols including OpenPGP and S/MIME9. A working group (WG) composed of volunteers is dedicated to define and maintain the standard. They do that either during the 5-day IETF meetings that happen threetimes a year, or on the mailing list which is freelyavailable online to anyone10.Right after the public disclosure described inPlane 1, there were no mentions to EFAIL in the mailing list but on June 30, 2018, an email called “AEAD mode chunk size” was sent to the mailing list11and provided some technical thoughts about how to mitigate one specific aspect of the EFAIL vulnerability. An asynchronous conversation – mostly on a highly technical level which made it very hard to follow for non-experts (such as us) – lasted till May 2019, one year after the public disclosure of EFAIL. The discussion happened only through emailsinvolving many actors from all around the world. This long process resulted in the release of a new version of a part of the protocol which was later implemented in many softwares and digital libraries.
During that time, it was not the only topic that was discussed on this mailing list but interestingly, there were generally very few explicit mentions of EFAIL as a series of critical vulnerabilities. The EFAIL presented by Schinzel was scraped into a series of technical issues that had to be remediated separately, sometimes by different people. Interestingly, the tempo of what was done and exchanged through the IETF mailing list was not impacted by other manifestations of the vulnerability in the infosec community, like the USENIX presentation that took place in August 2018 (see below “Plane 3”). The discussion happened amongst engineers and developers committed at that time (but for some also recursively in the past regarding this protocol) to find a consensual solutions to be implemented in various competing products.
Plane 3 -the academic presentation atUsenix conference. On August 16, 2018, in the Grand Ballroom VII–X of Marriott Waterfront hotel in Baltimore, USA, Damian Poddebniak, on behalf of the EFAIL team, presented the EFAIL attack in front of a (mostly) academic audience at the Usenix Security Symposium12. For the team, the event represented the culmination of months of research and an important academic recognition. For the first time in public, the team deciphered the technicalities of the flaws they uncovered on the old and famous OpenPGP and S/MIME encryption protocols. It is interesting to note that, according to the researchers, the paper was really well received by the academic community which was concerned by the technical commitment of the attack and no so much on the controversy it generated13.On anethnographic point of view, it is also worth noting that this academic event is happening at another “plane” than what happened in May during the public disclosure: here, only the technical and theoretical advancement were emphasized and little space was left to the general discussion regarding the disclosure process or the possible mitigations. In this plane, the EFAIL vulnerabilities can be seen as a formal object that does not have a visible impact beyond the academic field of computer science: indeed, this instance of EFAIL was assembled for an academic audience and the paper was a formal “proof of concept” of a new technique that the researchers called “malleability gadgets” (Poddebniak et al. 2018). As Schinzel himself told us, the Usenix paper, very theory-oriented, had to be “translated” to a more digestible format for developers and users (personal interview in Leipzig, 27.12.2018). As far as we know, there were very few reactions to this presentation outside the academic arena and it did not result in the circulation of new information over the forums and mailing lists that we have been reading.
Plane4 -the presentation at the Chaos Communication Congress.Between Christmasand New Year Eve, every year since 1984, the Chaos Computer Club (CCC) organizes theChaos Communication Congress, consideredamajor event in Europe for all computer geeks and technology enthusiasts. OnDecember 28, 2018,at 8.50 pm, Professor Sebastian Schinzel got on the stage wearing a tee-shirt with the logo of EFAIL. Very different from the 20-minute talk at Usenix, this 1-hour presentation was neither very formal nor too specialized and beside the technical details, it gave room to broader considerations, e.g. on the pervasive lack of privacy that affects emails and the misadventures of thedisclosure process. Indeed, Schinzeldid not reveal any novelty concerning the EFAIL vulnerabilitiesand for the people who already knew the technical details, there were nothing new from this point of view. But Schinzel also made some statement about the public disclosure process and declaredthat he wouldhenceforth stick to a delay of the rule of the 90-days – whatever happens – to avoid the chaos in which the EFAIL disclosure resulted. The 90-dayrule he referred to is a consensual ethical trade-off that implies that a researcher who found a vulnerability would give 90 days to the developers before disclosing it publicly. Even though 90 days are somehow arbitrary, it is a usual standard in practice within the security spheresthat is supposed to give enough time for developers while at the same time putting them under pressure.Schinzel thus regretted that he had to postpone several times the EFAIL disclosure andgiving the developers more than 200 daysbecause itdid not help finding a solution. On the contrary, he said that it was only when they decided to disclose details about the vulnerability that developers and vendors startedcommittingto release a reliable patch. He added that despitehisteam had sincerely tried to find the best and most secure solution to disclose the vulnerability, they had been insulted and maltreated by people for handling the vulnerability as they did. During his talk,Schinzel alsoadded that he wouldprobably not release anymore a warning statement prior to the vulnerability itself, as he did with EFAIL,because it did not work and people did not understand well his intention.Hence, this talk was among others intended toclosethedisclosure controversy that sparkled after hisinitial tweet.
Spatiality, temporality and the obscure backstage of vulnerabilities
This short description shows that the EFAIL disclosure took many forms at different times: an incendiary tweet, a leaked paper, an academic presentation some months later. Some other disclosures also took place behind the scene: the researchers contacted vendors and developers months before the public disclosure. They also contacted the EFF and other concerned “infosec” groups as well as journalists prior to Schinzel’s tweet14. Like in any ethnographic research, we were not able to follow every steps and discussions of the EFAIL case and perhaps no one could either, including the EFAIL researchers themselves. But nevertheless, we can draw several important points from what we described.
First of all, once Schinzel announced the vulnerabilities, EFAIL started to take different shapes and meanings in different spaces and locations, both online and offline. Like a proton in a high energy physic experiment, the impact of disclosure created different simultaneous strains transforming what the researchers discovered into various versions of EFAIL. EFAIL morphed into an urgent threat for journalists and activists, a communication fiasco severely criticized, another reason to abandon OpenPGP adding to a two-decade old polemics about the standard, a series of technical issues to define and to fix separately, a series of remediations to negotiate and assess (which were not immune from personal conflict), an academic paper, a myriad of discourses about what should be a respectful and ethical vulnerability management as well as a CVE number15, a logo and a domain name. In other words, the EFAIL vulnerabilities acted in the world to materialize themselves through the activation of different, but sometimes intersecting, planes as we put it. In the research process, the different planes became more definite only when we could determine what was the properties of the particular manifestation of EFAIL we were observing.
Each of these planes debates what EFAIL is, and indicates what should be done with it, using different discursive registers and coalescing different participants and audiences together (and sometimes into what Kelty called “recursive publics” (2008)). Yet, these four planes remained all closely related to the EFAIL vulnerabilities discovered by Schinzel and his team. Thus, following the trajectories of vulnerabilities – their many disclosures and their impacts in the infosec arena – allows us to witness the making and unmaking of computer security without defining a prioriour ethnographic research to few expert groups or sites of deliberation. In doing so, we can account for the dynamism of the debates, the actions and the parties assembled together by a particular technical issue into what we called “planes” so far and that represent an understanding of a “location” (Gupta & Ferguson 1997)in which we gathered empirical data.
Conceptualizing an ethnography of computer vulnerabilities
Despite that conference venues as well as digital platforms such as Twitter or a mailing list can simply be considered as conventional sites or locations of ethnographic interest, we quickly felt at unease keeping thinking in term of (multi-)fieldsites. Similar to Emily Martin said about the ethnography of science, we consider that the locations of our ethnography are not primarily spatial (Martin 1997: 146), or more specifically, that spatiality is not a relevant dimension of the processes we are observing. In addition, to declares that our research is multi-sited and consists of following specific things (Marcus 1995) does not help us to define well enough the nature of our ethnography, and in particular the different types of locations and temporalities. For instance, the discussions following the disclosure of May 2018 were tense and happened simultaneously at different locations online and offline (plane 1), while technical deliberations of plane 2 benefited from a more unitary “location”, the IETF mailing list, and took place during a longer timespan (which is not yet finished as we write).
As manifestations of EFAIL surfaced unexpectedly, our ethnography can not only be defined as spatially fragmented but it is also asynchronous and iterative in time: some debates stoped in plane 1 but re-emerged months later in plane 4, while the asynchronous discussion we followed on a mailing list dictated the temporality of our ethnography. Moreover, discussing with participants of a manifestation of EFAIL invited us to go back to some internet-archived parts of planes, thus going back in time to discover interactions we were not following when they happened.
The temporal messiness of EFAIL and of our ethnography also prevented us to consider the disclosure as an event in the sense proposed by BensaandFassin (2002). If it is undeniable that there is a “before” and an “after” EFAIL, both in terms of discourses and practices, to conceptualize the process as avulnerability lifecycle as commonly depicted by computer scientists (see for instance Frei et al 2008) result in evening up the bumps on the road, the discussions and the controversies, that are the conditions of our ethnography and the material of our analysis. Considering the process as a unique event would also deny the multiplicity of EFAIL manifestations we mentioned earlier. EFAIL it is not a unitary narrative with a beginning, a climax and an end,nor it is only the journey of a team of researchers that found flawsin two protocols and make the public know about them.
It appears obvious from what we described that while conferencesare, indeed, importantevents,we cannot limit our understanding of vulnerability disclosure to the talks and discussions taking place in these venues as they are informed by debates raging online. At best, conferences might be a temporal location in whichmeanings of the vulnerability developing on some planes convergeand are debated16. The case of the conference at the Chaos Computer Congress wasin this sensean opportunityfor Schinzel to publicly suggest an end to the controversy of the initialdisclosure, knowing alsothat the talk will be available online for those who couldn’tattend the Congress. It is therefore necessary to look beyond the rhetoric of crisis that characterizes the headlines of newspapers, to go beyond the loud debateson social media or the bright talks under the conference spotlights to consider the un-eventful and asynchronous 1-year conversation over theIETF mailing-list.But this I not to claim full ethnographic coverage. Ours is obviously partial considering that all the actions taken behind closed doors (to comply with a standardized “responsible” procedure) were unobservable. This acknowledged partiality isreverberated into the very idea of ethnographic planes, here understood asobservable surfaces of social actions we can hardly only scratch, andembrace themerologicalapproachto anthropology Zeitlyndevised in 2009.
The concept of plane referstherefore primarily toa surface of collection, a surface that can extend andgrown in anydirection and manifesteditself simultaneously in several locations or caught the attention of several individuals and groups all around the globe. They are not finite per seor delimited once for all. Planes are logical spaces,not sites or events.In this sense, theycarved out a particular manifestation of the EFAIL vulnerabilities through the emergence of debates, participants and audience. EFAIL can be therefore understood as an assemblage of planes that take an ontological and epistemological relevance in our ethnography.
As an assemblage EFAIL becomes thus what we call a situation, tweaking what Zigon defines for the Drug War (2015: 502) for computer security arena, an assemblage of planes “widely diffused across different global scales” in which “persons and objects get caught up” in various capacity, intensityand conditions but that significantly affect their engagements and relationships in the infosec community. A situation like EFAIL can therefore be understood as global in scale but affecting the community unevenly, manifesting itself in diverse planes that emerge, develop and intersect in various locations.
Bibliography
Bensa, Alban and Eric Fassin. 2002. «Les sciences sociales face à l’événement». Terrain 38: 5-20.
Frei, Stefan, B Tellenbach, and Bernhard Plattner. 2008. "0-day patch – Exposing vendors' (In)security performance." Black Hat Europe, London.
Gupta, Akhil, and James Ferguson. 1997. Anthropological Locations. Oakland: University of California Press.
Kelty, Christopher M. 2008. Two bits the cultural significance of free software, Experimental Futures technological lives, scientific arts, anthropological voices. Durham: Duke University Press.
Marcus, George E. 1995. «Ethnography in/of the world system: The emergence of multi-sited ethnography». Annual review of anthropology24: 95–117.
Placeck, Thomas H. 2018. «A unified timeline of Efail PGP disclosure events».Online:https://flaked.sockpuppet.org/a-unified-timeline/(accessed 13.09.2019)
Poddebniak, Damian, Christian Dresen, Jens Müller, Fabian Ising, Sebastian Schinzel, Simon Friedberger, Juraj Somorovsky, and Jörg Schwenk. 2018. «Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels». 27th USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity18/presentation/poddebniak
Zeitlyn, David. 2009. «Understanding Anthropological Understanding: for a Merological Anthropology».Anthropological Theory 9 (2): 209–231.
Zigon, Jarrett. 2015. «What is a situation? An assemblic ethnography of the drug war». Cultural Anthropology30 (3):501-524.
1 A large number of procedures and actors are involved in disclosure managements, allowing for all kind of grayscale between the simple private/public dichotomy we outlined here. In this research, we focus only on processes that involve public disclosures.
2 Infosec is a contraction of “information security”, an emic term usually used to refer to what is commonly named “cybersecurity” in the media or the political spheres. In this article, we use infosec to describe the security experts’ arena, while “cybersecurity” refers to conferences usually retaining this designation.
3 This research project is exploratory and funded under the SNSF scheme “Digital lives”. The project description is found in the SNSF p3 database: http://p3.snf.ch/project-183223.
4 Seehttps://efail.de/for more details. Encryption consists in a mathematical operation that turns a plain text into a cyphertext that can only be decrypted by a unique secret key. While most of the messaging apps use end-to-end encryption, standard emails are by default sent in plain-text over the network, allowing a whole palette of potential attacks and surveillance practices. An encryption protocol consists in a document that specifies the specs and instructions to encrypt a plain text to a cryptogram, and vice versa. OpenPGP and S/MIME are the two main encryption protocols that are used for emails: OpenPGP is mostly used by journalists, political activists or software engineers, while S/MIME is generally adopted by organizations or companies.
7 For some details regarding theleak see (Placeck 2018).
8 This particular case indicates that the distinction made between “coordinated” and “full” disclosure is sometimes unclear. Procedures and claims about their “responsible” nature are often contested.
9 IETF standards are published in English as «Requests for comment»(RFC) and are freely accessible to anyone on the IETF website. For example, the specs for the OpenPGP protocol is the RFC4880: https://tools.ietf.org/html/rfc4880.
12 We did not attend this conference, but the paper, the video and slides are available onhttps://www.usenix.org/conference/usenixsecurity18/presentation/poddebniak. Complement of information were also received directly from the researchers.
13 The only question regarding the controversy was related to the way the researchers tried to disclosed it, and not why they did it when no fixes was available.
14For a summarized timeline of some of the steps prior to the disclosure, see Placeck 2018.
15 CVE is the abreviation for Common Vulnerability and Exposure. A USA-based research and development center maintains a register which references most of major vulnerability publicly disclosed. It is the most widely used register for computer vulnerabilities.
16 Or at which, participants involved in a plane are physically meeting to resolve some issues. This is the reason why these conferences are filled with many side events, public or private.