SECRECY VERSUS OPENNESS Internet security and the limits of open source and peer production Andreas Schmidt Open source and peer production have been praised as organisational models that could change the world for the better. It is commonly asserted that almost any societal activity could benefit from distributed, bottom-up collaboration — by making societal inter- action more open, more social, and more democratic. However, we also need to be mindful of the limits of these models. How could they function in environments hostile to openness? Security is a societal domain more prone to secrecy than any other, except perhaps for romantic love. In light of the destructive capacity of contemporary cyber attacks, how has the Internet survived without a comprehensive security infrastructure? Secrecy versus Openness describes the realities of Internet security production through the lenses of open source and peer production theories. The study offers a glimpse into the fascinating communities of technical experts, who played a pivotal role when the chips were down for the Internet after large-scale attacks. After an initial flirtation with openness in the early years, operational Internet security communities have put in place a form of social production that resembles the open source model in many aspects, but is substantially less open. ISBN 978-90-8891-988-6 Image Copyright Rafal Olbinski, Courtesy Patinae, Inc. www.patinae.com SECRECY VERSUS OPENNESS Internet security and the limits of open source and peer production Proefschrift ter verkrijging van de graad van doctor aan de Technische Universiteit Delft, op gezag van de Rector Magnificus prof. ir. K.C.A.M. Luyben, voorzitter van het College voor Promoties, in het openbaar te verdedigen op maandag 3 november 2014 om 10:00 uur door Andreas SCHMIDT Magister Artium in Political Science, Medieval and Modern History, Kassel University geboren te Bad Arolsen, Duitsland. Dit proefschrift is goedgekeurd door de promotor: Prof.dr. M.L. Mueller Samenstelling promotiecommissie: Rector Magnificus, voorzitter Prof.dr. M.L. Mueller, Technische Universiteit Delft, promotor Prof.dr. K. Rannenberg, Goethe-University Frankfurt Prof.dr.ir. E. Huizer, Universiteit Utrecht Prof.dr. R. Deibert Universiteit Toronto Prof.dr. N.A.N.M. Eijk, Vrije Universiteit Amsterdam Prof.dr.ir. J. van den Berg, Technische Universiteit Delft Prof.dr. M.J.G. van Eeten, Technische Universiteit Delft Prof.dr.ir. M.F.W.H.A. Janssen, Technische Universiteit Delft, reservelid ! ! ! Copyright © 2014 by Andreas Schmidt. All rights reserved. Subject to the exception immediately following, no part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopy- ing, recording or otherwise, without the prior permission of the author. A digital copy of this work is available at the TU Delft institutional repository, repository.tudelft.nl. Distributed by Delft University of Technology, Faculty of Technology, Policy and Management, Jaffalaan 5, 2628BX Delft, The Netherlands, and Andreas Schmidt, Laubestraße 26, 60594 Frankfurt am Main, Germany. Printed in The Netherlands Published by Uitgeverij BOXPress ISBN 978-90-8891-988-6 Keywords: information security, peer production, open source, internet governance, security govern- ance, incident response The book has been composed in Adobe Caslon Pro and Baron Neue. The manuscript was written with Scrivener, aided by Sente, Devonthink, and Word. Cover designed by Michaela Spohn, michaelaspohn.de. The Marriage of Figaro by Rafal Olbinski as cover artwork. © Rafal Olbinski, courtesy Patinae, Inc., www.patinae.com Table of Contents Acknowledgements vii 1 Introduction 1 1.1 Organising Internet security 3 1.2 The rise of remote collaboration 4 1.3 Existence and viability of peer security production 5 1.4 Research plan 11 2 Theoretical Foundations 15 2.1 Social production and the collaborative turn 16 2.2 The Internet security governance challenge 42 2.3 Secrecy vs. openness 54 2.4 Peer production of Internet security 67 3 Research Design 75 3.1 Research strategy 77 3.2 Analytical model 81 3.3 Data collection and analysis 86 4 Endangering the Internet 91 4.1 Estonian cyberattacks: A country sort of under attack 92 4.2 Conficker botnet: Wasted talent for doom 108 5 Producing Internet Security 123 5.1 Estonia 124 5.2 Conficker 142 5.3 Conclusion 161 6 Social Dimension of Internet Security 163 6.1 Distributiveness 164 6.2 Openness 179 6.3 Socialness 194 6.4 Conclusion 217 7 Limits of Openness 223 7.1 Explaining openness and secrecy 224 7.2 Drivers of secrecy 227 7.3 Trust in the security community 237 7.4 Rationalising the organisation of Internet security production 246 7.5 Conclusion: A variant of social production 255 8 Conclusion 259 8.1 A different way of producing security 262 8.2 Limitations of this study 266 8.3 Suggestions for future research 270 8.4 The state of Internet security governance 271 8.5 Opening security — a civilising role for the community 281 Bibliography 293 Summary 317 Samenvatting (Dutch summary) 323 Curriculum vitae 331 Acknowledgements Good research requires various methods of efficient procrastination. A superb source of comfort for aspiring scholars certainly is phdcomics.com, a website offer- ing wisdoms on the lives of promovendi that are as amusing as depressing. All too often, the brain is buzzing on other things than research, the fingers are resting on the keyboard without moving, no souffleuse would whisper words of academic wisdom and no siren lures one into the beauty of scholarly reason. Then, the adage “There is no team in thesis”1 sounds too convincing. But only then. I’m deeply grateful to all the individuals without whom this project would have been hardly viable, more difficult, not as good and considerably less fun. The mundane foundations of this research project were laid by two organisations. The Next Generation Infrastructure Foundation — and its financier, the Dutch tax- payers — have generously funded my research position at Delft University of Technology. The communications service provider XS4ALL facilitated my super- visor’s professorship and stay here in the Netherlands. I am deeply grateful for this support. The Faculty of Technology, Policy and Management and its section for Infor- mation and Communication Technology have served as my academic home base. It has been the warm, cordial, caring, and collegial place that allowed me to focus on my research. Harry Bouwman has helped with invaluable counsel during my research project. Yao-Hua Tan has been the kind of manager you need when bal- ancing research with newly arrived private responsibilities requires a flexible re- sponse. Marijn Janssen has guided me safely through the final stages of my project. Jo-Ann and Eveline have spoiled me with office supplies, bureaucratic support, and 1 J. Cham, “I in team”, PhD comics, March 25, 2013, http://www.phdcomics.com/comics/archive.php?comicid=1570 vii viii most of all with their kindness and friendship. My colleagues Bram, Fatemeh, Jan, Janneke, Tineke, Jolien, Jos, Mark, Nitesh, Mohsen, Martijn, and Anne Fleur have all contributed to an enjoyable intellectual and social climate and supported my endeavour in various ways. Over the years, I have benefited enormously from in- spiring discussions and pleasant conversations with Michel van Eeten and his team, including Shirin Tabatabaie, Floris Kreiken, and Hadi Asghari. Hadi and Coen van Leeuwen will have helped in the very last part of this endeavour. This research project has benefited immensely from the insights shared by practic- ing experts of Internet security, who were willing to discuss, often for the better part of a day, any aspect of their subject area. I am deeply grateful to Jan Priisula, Gadi Evron, Toni Koivunen, Rain Ottis, Hillar Aarelaid, Mikko Hippönen, Go- razd Božič, Kaido Raiend, Kurtis Eric Lindquist, Bill Woodcock, Merike Kaeo, Kauto Huopio, Andrus Padar, David Watson, Niklas Schiffler, Richard Perletto, Steve Santorelli, Scott McIntyre, Paul Vixie, Andre DiMinio, John Crain, Chris Lee, Tillmann Werner, Rick Wesson, Jose Nazario, Heli Tiirmaa-Klaar, and all the other persons, who prefer to remain anonymous or who I talked to ‘only’ on an informal basis. Furthermore, I feel obliged to a number of wonderful individuals, who invited me to intellectual exchanges, gave valuable input (some extensive, some brief), collabo- rated with me on papers and books, invited me to present my work, or commented theron: Brenden Kuerbis, Axel Arnbak, Ben Wagner Ingo Stützle, Roxana Radu, Jean-Marie Chenou, Markus Beckedahl, Kate Coyer, Stefaan Verhulst, Jason Hea- ley, Jan-Frederik Kremer, Benedikt Müller, Min-Chun Ku, Christian Pentzold, Giampiero Giacomello, and many others. Ralf Bendrath deserves a special thank you for luring me into this project and our joint time in Delft. The finalising of this endeavour was eased by a few helping hands. Deserving of thanks, Katarina has created the transcripts, Danielle and Patrick have proofread this study and provided helpful editorial tips. The stellar design of the cover is the result of Michaela’s artistry. The cover has been made possible by the more than generous efforts of Sherri Nahan from Rafal Olbinski’s agency Patinae Inc. And then there is Milton Mueller. I could not have been happier with his support for my pursuits, his supervision of my project and his patience. Working with a man who knows his subject area like hardly any other has been a blessing and joy. He has helped me out endlessly with super-prompt, sharp and witty comments, admonishing music collections, and revisions of countless, increasingly less imper- fect drafts. Imagine a chivalrous deep bow of warm-hearted gratitude for all of that, Milton. And for the fun we had during the project, a long-lasting smile. ix My final words here are to express my gratitude and love for my friends and family.