Hey Amazon: Banning Security Researchers Isn’t Making Us Safer

Readers of this blog may recall that I’m a big fan of the RSA-key ‘cracking’ research of Nadia Heninger, Zakir Durumeric, Eric Wustrow and Alex Halderman. To briefly sum it up: these researchers scanned the entire Internet, discovering nearly 30,000 weak RSA keys installed on real devices. Which they then factored.

In the fast-paced world of security, this is already yesterday’s news. The problems have been responsibly disclosed and repaired, and the manufacturers have promised not to make, well, this particular set of mistakes again. The research even received the Best Paper award at Usenix Security.** So you might ask why I’m writing about it now. And the answer is: I’m not.

What I’m writing about today is not the research itself, but rather: the blowback from the research. You see, Heninger et al. were able to conduct their work mostly thanks resources rented from Amazon’s Elastic Compute Cloud (EC2). And in response, Amazon has booted them off the service.

This is a real drag, and not just for the researchers in question.

Cloud services like EC2 are a huge resource for ethical security researchers. They help us to learn things about the Internet on a scale that we could never accomplish with the limited resources in most university labs. Cloud services also give us access to software and hardware that would be nigh on impossible to justify to a grant committee, stuff like GPU cluster instances which are invaluable to cryptographers who want to run specialized cracking tasks.

But more importantly: the rise of cloud computing has given rise to a whole new class of security threat: things we never had to worry about before, like side-channel and covert channel attacks between co-located VMs. Securing the cloud itself requires real-world analysis, and this means that researchers have to be trusted to do some careful, non-malicious work on actual platforms like EC2. Unfortunately this is just kind of research that the Heninger et al. ban could serve to discourage.

Now, I don’t pretend that I know all the details of this particular case. I haven’t spoken to the researchers about it, and although the paper makes their scan seem pretty benign, it’s always possible that it was more aggressive than it should have been.*

Moreover, I can’t challenge Amazon’s right to execute this ban. In fact their Acceptable Use Policy explicitly prescribes security scans under a section titled ‘No Security Violations’:

  • Unauthorized Access. Accessing or using any System without permission, including attempting to probe, scan, or test the vulnerability of a System or to breach any security or authentication measures used by a System.

The question here is not whether Amazon can do this. It’s whether their — or anyone else’s — interests are being served by actually going through with such a ban. The tangible result of this one particular research effort is that thousands of vulnerable systems became secure. The potential result of Amazon’s ban is that millions of systems may remain insecure.

Am I saying that Amazon should let researchers run amok on their network? Absolutely not. But there has to be a balance between unfettered access and an outright ban. I think we’ll all be better off if Amazon can clearly articulate where that balance is, and provide us with a way to find it.

Update (9/3): Kenn White points me to this nice analysis of the public EC2 image-set. The authors mention that they worked closely with Amazon Security. So maybe this is a starting point.


* Admittedly, this part is a little bit ambiguous in their paper. NMAP host discovery can be somewhere between gentle poke and ‘active scrub’ depending on the options you’ve set.

** In case you haven’t seen it, you may also want to check out Nadia’s (NSFW?) Usenix/CRYPTO rump session talk.

5 thoughts on “Hey Amazon: Banning Security Researchers Isn’t Making Us Safer

  1. Just a few coffee fuelled 'two cents' on this from Monday morning…

    The problem really involves discussing the SLAs and legal issues.

    Amazon are tryping to prevent their infrastructure from being used to provide InSecurity-as-a-Service, and for performing malicious activities.
    Activities made illegal under various 'Computer Crime acts'.
    As you pointed out Amazon are in their right to prevent themselves for being liable in the event that claimants take legal action after a security breach made possible by EC2.
    That is some one will say: “We cannot sue the hackers that breached our system, but we can sue Amazon for providing the infrastructure to do so”.

    Intermezzo: It is interesting to point out that this question is moot when the researchers have permission from the system owners to, this is allowed under the Amazon fair-use policy and covered in legislation.

    The best example of 'computer crime' legislation is the Council of Europe's Convention on Cybercrime (ratified by a host of nations) in which Chapter II Section 1 Articles 2-6 cover malicious activities, *and* security researchers.
    I do have problems with these acts for several reasons most of which stem from problem that with such acts they forget about, or provide inadequate legislation for security researchers.

    Intermezzo: Amazon would be seen as liable under Chapter II Section 1 Article 11: Attempt and aiding or abetting.

    In this particular case I believe people are arguing that the problem is in relation Security Scanning, covered under Chapter II Section 1 Article 2: Illegal Access “when committed intentionally, the access to the whole or any part of a computer system without right.”
    The key phrases here are: “access”, “any part”, and “without right”.
    Services can be seen as the 'any part' of a computer system, where computer system refers to both individual servers and networks—see Chapter 1 Article 1 Paragraph A: Definitions.
    Thus by performing the scan researchers are apparently “illegally accessing” a service.
    But can the service the researchers used to obtain public RSA keys be seen as being a 'public service' or a 'publically accessible service'.
    The latter implying that one needs permission to use it.
    What do the notions of 'right' and 'access' entail in relation to accessing services?

    If the service is accessible publically do we need permission to use it?
    Yes we do, just because the service is accessible publically doesn't mean we have the right to use it.
    If the service is a public service, do we need permission to access it?
    I do not think so, as the service is meant to be public and used by the public then the 'right of access' is an emergent property of the system.
    Who needs permission to use publically accessible services!

    The scanning/accessing of public services as offered by a computer system e.g. in an attempt to obtain public RSA keys, should not be seen as illegal access!

  2. See, the problem here is not that Amazon is aggressively detecting and stopping scans. I assure you that you can run a malicious scan on EC2 and never have a problem. The concern is that Amazon is shutting down scans that *don't* make an effort to be stealthy — precisely because they're research work and not intended to be secretive. This seems like a bad approach to securing the network.

Comments are closed.