Q&A: Hello, Underworld

Consider the spammer: that is what University of California, San Diego (UCSD) professor and this year's ACM-Infosys Foundation Award recipient Stefan Savage did nearly 10 years ago, when he began to expand his research beyond the technical aspects of network security. What he found was not just a fascinating glimpse into an underground community and a dynamic global marketplace; he also gained insights that led to valuable techniques for combatting spam, reducing vulnerabilities in automotive software, and strengthening cybersecurity.

You have spent the bulk of your career in network security. What sparked your interest?

When I got to UCSD, I was working on network protocols, and for a variety of self-serving reasons, I began wondering if you could abuse those protocols to do different kinds of measurements. It turns out that you could.

That is what opened your eyes?

All of this stuff presumes that everyone is well behaved, and if you're not, you can do all kinds of strange things. It's almost like those sci-fi horror movies where you get the special glasses and you can see aliens. You start looking at the world like an adversary.

This was during the Internet worm outbreak era, when worms were taking over hundreds of thousands of machines.

For totally serendipitous reasons, we ended up having an amazing monitoring capability at UCSD where we could measure how a worm was spreading over the Internet and look at different DOS attacks. I started working with Geoff Voelker and Vern Paxson, and we did a lot of purely technical work until about 2007.

"At the end of the day, the only reason you care about security is that you actually think someone is out to get you."

Since then, you have taken a more holistic approach, in which you look beyond the technical components of computer security to economic and social motives.

At the end of the day, the only reason you care about security is that you actually think someone is out to get you. But that's not always reasonable. No one is hacking my kid's Barney the Dinosaur doll; there's no incentive. All of the conflict we have in the cyber realm is conflict that just generally exists. It's not like if there weren't computers, people wouldn't still want your money or want to steal your intellectual property. It's just that that's the medium through which they can do it in the 21^st century, given that we've shoved a bunch of money and valuable information online.

One of the first domains you looked into using this lens was spam.

When we began our research, we realized that we tend to think about spam as a filtering problem: how do I recognize the email that I want from the email that I don't want? To a certain extent that works—most of us have a modest amount of spam, and it doesn't really bother us. In another sense it doesn't work, because 99% of the email that's transited is still spam, and that would only be true if people were actually clicking and buying.

So what makes spam possible?

The fascinating part about spam filters is that they are part of the solution and part of the problem. For drugs, 30% of revenue comes from people who actively go into their spam folders, find the Viagra spam, and click on it. So their spam folder is a classifier.

What happens after someone clicks? Did the drugs you bought really show up?

Without fail.

Were they what they claimed to be?

We analyzed a subset. We didn't do a hardcore chemical assay, but we did put it under a mass spectrometer and look at the distribution of the underlying chemicals. And when you match up the spectral patterns of the counterfeit stuff and the reference stuff, there's no difference.

So counterfeit drug producers are not interested in ripping off their customers.

Right. We were also privy to a variety of leaked email and text messages, and to a first approximation, these people do not think of themselves as criminals. Much of the counterfeit drug market is eastern European, where there's a certain worldview that intellectual property protection is a tool of the bourgeois West, and that in fact they are shipping a quality product, lowering prices, and satisfying a need.

The people doing credit card theft think of themselves as criminals. They might justify it by saying that their victims have so much money. But a lot of these other scammers don't take any heart in their status as outlaws. They think of themselves as businesspeople.

In the end, you discovered that 95% of pharmaceutical and software counterfeiters relied on a handful of banks, and you were able to work with Visa and MasterCard to shutter their accounts. What has happened since?

Everywhere these techniques have been applied, there's been a serious impact to the ecosystems. It has also shifted substantially where the money goes. In software, drugs, and especially in counterfeit goods like Gucci handbags, it's all moving to the Bank of China. And that remains a bit of an open question. China is in a special position vis-à-vis the financial world. It's a little different when it's some small Azerbaijani bank.

"The fascinating part about spam filters is that they are part of the solution and part of the problem."

You have also done some work in the automotive sector.

This notion that your car is a Henry Ford-style thing that happens to have a computer in it turns out to be totally wrong. The mental model everyone should have is that the most complicated distributed system you use is the one you drive in, and it happens to have wheels on it.

Here, too, your work was informed by your attempts to understand the broader structure of the automotive industry.

Far too often, when people do this kind of vulnerability research, there is a tendency to name and shame, and I'm not convinced that it does anyone any good. The most interesting part of our research was not the technical details—it wasn't like there was a class of vulnerability that no one had ever heard of. What was eye-opening was trying to figure out why we found what we found.

Most of the vulnerabilities you discovered were at the interface between two pieces of code that were written by different organizations.

One of the things that surprised me the most is that no one has access to the source code for a car. The modern automotive industry has a very deep supply chain, and the OEMs are really just integrators. The suppliers own the IP, and they are not about to give the source code to the OEM. And that happens on down the chain: the suppliers have sub-suppliers, and there's no one who can look through the final product. There is also no agency in the government that's set up to audit the source code of automobiles.

The other thing I thought was fascinating is that there were bugs that were really egregious. They were the kinds of bugs you could not get away with if you worked at a company that sold PC software. You would not be allowed to use those functions because they were so known to be prone to fragility.

But in a certain sense, automotive software is like PC software from the early 1990s, before the Internet took off. The thing that made PC software better is that people started attacking it. From a pure Darwinian sense, it had to get better, or we couldn't use it anymore. Thus far, most embedded systems just haven't had an adversary. Security costs money, which is really hard to justify when you don't have an adversary out there forcing your hand.