The plan is that I will be blogging here from etech - O’Reilly’s Emerging Technology conference, held this week in San Diego. The programme is available here, in case anyone wants to pick out a session or speaker they would particularly like me to tackle.

Currently, I’m sitting between the registration desks and the materials pick-up area, on the theory that if anyone I know is here they will walk past me. It’s very quiet at the moment, which has led one of my friends to tell me to “twitter” to find people to talk to. He’s talkins about this site, which I’d seen a while ago and dismissed as silly and annoying. Basically, people use mobile phones, the Web, or IM to update their whereabouts/thoughts/doings. I suppose that unless you tell your friends your ID you can be basically anonymous to the world at large - after all, how interested is anyone in knowing that some random person was, two hours ago, hanging out in a park in San Diego? But quite a few people I know seem to be using it, and it wouldn’t be hard, if you did want to make their lives difficult, to log their updates and put together a pretty good picture of their lives. And of their friends. It might not mean anything very much to have nominated a friend on one site (for example, the social networking sites, where no distinction is made between friend, acquaintance, casual contact, and a typo). But if you sat down and did a careful analysis and found that I listed the same friends on Livejournal and Twitter, and that we all had CIX accounts, you might start to feel a lot more confident of your inferences.

We talk a lot about privacy issues (and some of the people I see using this are in fact concerned about personal privacy) and yet many of us are perfectly willing to live as public personalities - if we’re not famous enough to be of interest to the mass media to document us, we apparently will do it ourselves.

A second Blindsidish sort of issue strikes me about this, which is that although it might be an interesting tool for, say, a political candidate to use - I’ve seen quite a bit of TV news since I’ve been here referring to this and that presidential candidate - it’s highly unlikely anyone will try it. Supporters might use it to keep track of each other and plan meet-ups. But politicos themselves are unlikely to see it as anything but a security risk. We talk a lot about the digital divide between those who have/use technolgoy and those who can’t/don’t. Politicians and government tend to be in the latter class. We have talked for years about the poor legislation drafted by politicos who don’t understand the technology they’re legislating about, but they may also have increasingly little understanding of the *people* they’re legislating *for*. Which may also be part of why government systems are so rarely built with users in mind. So the most significant digital divide may be that between us and the people who decide on the technology of government systems (such as ID cards, the NHS system, etc.). The LibDems are the most likely to experiment with stuff like this, because when you’re #3 in a two-horse race you have very little to lose. The more successful you are, the less inclined you are to change anything in case you might damage your successful position.

wg

I’ve just twigged the BCS has a good security site. It’s got articles by industry experts on denial-of-service, cybercrime and phishing. Andrew Lee explains about pump’n'dump and other business models for spam, and you can read “a day in the life” of three people in CESG on a sponsored recruitment link. It also links words used in the story to a glossary, which is handy. But I take issue with the report on research by Clearswift which seems to tar contempory Internet techniques with the wrong brush. It says

over a quarter of office workers aged between 18 and 29 spend more than three hours a week on social networking websites and blogs. Nearly half of these workers discuss issues related to work on these sites, which may pose a security risks to employers, the firm claimed.

Ooh. Scary Web 2.0, eh? But hang on, it’s only scary if you Don’t Get It (”DGI”). Blindside is a very Web 2.0 site, offering a social networking approach for perfectly serious discussion about work-related matters.

‘It’s clear from the research that organisations need to take a closer look at the social media sites that their employees are using at work to ensure sensitive business issues or information is not being discussed,’ commented Ian Bowles, chief operating officer for Clearswift. Earlier this week, a report from security firm ScanSafe indicated that about half of all corporate web traffic is comprised of access to websites not deemed suitable for work.

Alright Ian, if they’re dating on MySpace maybe there’s a problem. But if they’re looking at Blindside they’re probably the sort of employees you need - you can encourage them to use it more.

In his second talk in two days at the LSE (this one co-sponsored by the BCS) Bruce Schneier spoke about the economics of information security. Economics is a useful tool for shining a light on information security questions which make no sense from the technology point of view, he said, describing 10 trends in info security:

1. Economic value of information: an old notion with new implications. It’s now normal to have companies whose physical assets are worth less than information assets which can be used for marketing, process streamlining, personalisation, law enforcement and forensics. “If information didnt have value computer security wouldn’t exist.”

2. Networks as critical infrastructure. If it’s important these days it comes over the net. When did you last get something important in the mail?

3. Third parties controlling information. “Your information isn’t controlled by you.” Our existing legal protections are written in terms of your person, home, car - things under your control. But your emails reside at Google or your ISP, the merchant controls your shopping data and the hospital (or in the UK a central authority) your medical records. Paris Hilton didn’t leak messages from hr own phone - they were hacked from T-Mobile. It’s all stored elsewhere under someone else’s control.

4. Criminals are thriving on the net. It used to be hobbyists defacing web sites; now the dominant hackers are criminals trying to take your money with spam, fraud due to impersonation and denial-of-service extortion. There’s a business model for spam and a market for bot networks. It’s global and by some accounts comparable in value to the market for illegal drugs. “They’re not going away and we’re not going to solve this.”

5. Complexity is the worst enemy of security. If computers get better faster and cheaper, why is security getting worse? The answer is complexity. If we wanted a secure operating system we’d start by going back to DOS, but we love complexity. Security is getting better like everything else, but complexity is getting worse faster.

6. Slower patching; faster exploits. There’s a weird business model for software: we build it, throw it out there, and fix it later. You can either have patches fast, or well tested. But not both. Hence Microsoft’s move to a monthly “patch Tuesday”.

7. Sophistication of automatic worms. They used to be simple creatures. Now they’re polymorphic, metamorphic, they use Google for vulnerability assessment. New worms dont advertise their presence with a cheeky message. They report back to their owner to ask for instructions- to sniff passwords, collect a keystream, infect other platforms. It’s no longer about novelty to score style points -it’s about repeatedly doing what’s effective.

8. Untrustworthiness of the endpoints. The traditional security model, on which something like PGP encryption or SSL is based, requires trusted end points. This model fails. The attackers use Trojans or spyware. The bad guy captures your keystream, or decrypted data, or does back ground transactions once you’re authenticated. We’re trying, eg with Micsosoft Vista, but these endpoints are hard to fix.

9. The end user seen as attacker. The aim of DRM is to protect someone else from you. It reduces your functionaity, pisses you off and you cant delete it. It sounds like a hacking tool; it looks like malicious code (eg the Sony root kit). The security expert cant protect you and protect from you at the same time. “If I protect you it makes it harder from Sony. If I make it easier for Sony it’s easier for the bad guy.” So we’re set to get more and more invasive tools that assume we are the bad guys.

10. Regulatory pressure. It’s hard to get people to buy security: it’s a “fear” sell. As a greed sell it never works. But what does work to sell security is regulation. Fear of failing an audit is way bigger than fear of data theft. “It annoys me no end, but there you have it.”

Things are getting worse not better. They’re getting more complicated. The non-technical aspects are more important than the technical. And increasingly the driver is economics and not computer science.

The basic economics of security are that if you lose £1000 by being mugged and it happens once evrey ten years, it’s worth spending £100 preventing it. But this model breaks down as the likelihood becomes zero and the effects catastrophic, and you’re trying to multiply zero by infinity, and there’s no numeric grasp of the risk.

Economics gives us the idea of an externality - a cost borne by someone other than the person responsible. We pollute a river to make chemicals, those downstream suffer. To correct this either the authorities fine the polluter, or those who suffer sue. We need a similar fix to the problem of buggy software. A lot of security paradoxes can be explained by externalities. eg phone security, data thefts. Buggy software, insecure home computers. We need to align ability to mitigate risk with financial responsibilty.

The recommended next steps are:

1. Understand the security problem and stakeholders

2. Undertand the security and nonsecurity tradeoffs

3. Align the economic incentives (otherwise the problem will never get solved).

4. Implement countermeasures to reduce risk.

5. Iterate as technology changes things, making it faster easier cheaper forthe bad guys as well as the good guys.

To hear Bruce Schneier twice in three days isn’t too much. He’s an exuberant communicator, beholden to no-one, even in his new mega-corporate BT entity. As well as  using economic persectives to shine a new light on infomration security he’s just reaching out to other disciplines like the psychology of risk, and is excited by the power of an interdisciplinary approach.

For regular updates check out his Cryptogram newsletter or his blog.

Government agencies could do more to combat the problem of “fraud websites” targeting English speaking internet users, including UK citizens. These sites are set up to give credibility to many types of internet scams - they pretend to be banks, barristers, couriers, escrow companies, secure storage facilities, etc (different identities are needed for different types of scam). Often they will clone and lightly edit legitimate websites, such as the Matrix Chambers site belonging to Cherie Booth and her colleagues.

Although fraud sites are easy to recognise, the owners cannot usually be prosecuted under current UK legislation, unless they are “passing off” [example: fake “Barclays Bank”]. The proposed anti-fraud legislation will fare little better, given the difficulty of tracing the offenders (most operate from overseas, routinely hiding behind false identities).

Given the problems faced by traditional law enforcement methods, volunteer groups such as AA419.org have taken the lead in the fight against the fraudsters. Every year, thousands of fraud sites are closed by AA419 (including the Matrix Chambers clone mentioned above).

AA419 succeeds by highlighting blatant falsehoods (e.g., “banks” claiming to operate in the UK but not registered with the FSA), then persuading webhosts to terminate on the grounds of TOS (Terms Of Service) violation. A further incentive for webhosts to act is the likelihood that fraud victim support groups such as scampatrol.org will assist victims to sue webhosts that fail to take effective action after receiving an “internet abuse” report.

However, although AA419 closes thousands of fraud websites each year, there are some areas where the support of UK government agencies may be needed, such as:

1) Fraudsters are increasingly turning to foreign webhosts with poor records for closing fraud sites. Representations by the UK government, perhaps in conjunction with US and European counterparts, could encourage other governments to require their webhosts to take effective action when internet abuse reports are received. Example: fake “Bohai Trust Bank” in netblock owned by China Telecom [source AA419].

2) Some registrars appear to have no effective process for closing fraudulently registered domains. Registrars have no responsibility for website content, but should be encouraged by government to take effective action against fraud sites when it can be shown they were registered using false information. Example: fake “Bank Of China” in the .uk domain controlled by Nominet UK [source: AA419].

The notion of identity is still fundamentally misunderstood, even as emerging technologies change beyond recognition how we manage it, we heard yesterday at the LSE. Yet still there has not yet been any sort of full and proper interdisciplinary or public debate.

Bruce Schneier told the seventh Social Study of ICT workshop we live in a unique interim period where identity checks are increasingly everywhere but for now we still know they’re going on. We still use cash and the cameras are still big enough to see. “Everything creates a transaction record - calls, web browsing, buying, not buying, automated toll collection..These records may have value; there’s a reason they’re kept.”

But identity checks can’t deliver security, he said. “The notion that identification is necessary for security turns out not to be true.” To check someone’s ID is not to check whether they’re a bad guy. Osama bin Laden does not have anID card marked “evildoer”.

A critic had put it to Mr Schneier if he were sitting next to someone acting suspiciously on a plane he’s surely want to know that person’s identity. Not in the least, retorted Mr Schneier: I just need someone to stop him. “Identity does not map to intentionality.” Walls, locks and safes create safety in the real world without checking identity, and the same principles are true in the online world.

Wholesale surveillance is now possible, he said. We don’t just say “follow that car!”. We follow every car, in real time and back through history. Governments like it. It seems to make the police’s job easier. Corporations want to sell services like location-based advertising.

But people don’t make good security tradeoffs. For a small reward they’ll give away a lot of information.

When they’re finally told what’s going on, such s in the UK ID card situation, they say ‘Hey, stop. We didn’t want that’, Mr Schneier said. “But it’s rare they’re told what’s going on.” It’s not a dichotomy of privacy or security, he said. It’s liberty or control.

To think technology will protect us from this is futile, he said. We need laws which anticipate the effects of the emerging technologies. “Learn to look for the cameras now,” he said. “You’ve only got a few years.”

The special care we extend to the World Wide Web comes from a long tradition that democracies have of protecting their vital communications channels.

We nurture and protect our information networks because they stand at the core of our economies, our democracies, and our cultural and personal lives. Of course, the imperative to assure the free flow of information has only grown given the global nature of the Internet and Web.

That’s how important this is, Tim Berners-Lee told the US House of Representatives. Looking into the future he saw three trends:

First, the Web will get better and better at helping us to manage, integrate, and analyze data. Today, the Web is quite effective at helping us to publish and discover documents, but the individual information elements within those documents (whether it be the date of any event, the price of a item on a catalog page, or a mathematical formula) cannot be handled directly as data. Today you can see the data with your browser, but can’t get other computer programs to manipulate or analyze it without going through a lot of manual effort yourself. As this problem is solved, we can expect that Web as a whole to look more like a large database or spreadsheet, rather than just a set of linked documents.

Second, the Web will be accessible from a growing diversity of networks (wireless, wireline, satellite, etc.) and will be available on a ever increasing number of different types of devices.

Finally, in a related trend, Web applications will become a more and more ubiquitous throughout our human environment, with walls, automobile dashboards, refrigerator doors all serving as displays giving us a window onto the Web.

This doesn’t point us towards information-assurance issues per se, but it certainly underlines what’s at stake in thinking about what’s going to go wrong.

The Foreign Office building in Berlin is a great place to reflect on big things that can go wrong in life. At first sight modern, it’s substantial and reassuring with solid panelling and tall, thick doors on vast hinges. It was built in 1934 and served the Nazis as Reichsbank HQ and the Communists as party HQ. A useful reminder how badly wrong things can go, and that we have to do what we can to prevent it.

Earlier this month we met there to talk not about totalinarianism but document exchange formats. Europe doesn’t like the economic effects of a proprietary monopoly, and fears its culture will be locked up the whim of suppliers. Pragmatists, often from Microsoft, which is pretty happy with the de facto standards situation in electronic office documents, argue that existing industry standards should be made open and accepted not imposed by do-gooders. Or as Jerry Fishenden puts it

Interoperability has always been about the practicalities of getting real, existing systems working with each other. It has always involved both de jure and de facto standards, new and old systems and those that have implemented different iterations of the same standard.

Jerry speaks a lot of sense. Jerry speaks for Microsoft. Does the freedom-loving open-source community (once denounced by a US Microsoft exec as “Unamerican”) find these two statements compatible? Here anyway is the declaration the EU group came up with in that remarkable building on 1 March:

There was strong consensus among Member State administrations on

• the necessity to use ODEF
• on “openness” being the basic criteria of ODEF
• and resulting requirements towards industry players / consequences for public administrations
• There is a general dissatisfaction with the perspective of having competing standards;
• One format for one purpose: Administrations should be able to standardize (internally) on a minimal set of formats;
• No incomplete implementations, no proprietary extensions;
• Products should support all relevant standards and standards used should be supported by multiple products;
• Conformance testing and document validation possibilities are needed in order to facilitate mapping / conversion;
• Handle the legacy / safeguard accessibility

See Blindside wiki on computing monoculture and if you know better please edit it.

An interesting model for engagement between bright thinkers and the official security community is offered by The Highlands Group, run by retired US Navy captain Dick O’Neill. I met him in 2004 when we spoke about the Noosphere - the intelligent interconnected world we’re all going to be in together.

Never before or since has the DoD presented such an outward-looking face, and in the process DoD thinkers leapt 2-3 years into the future. As US magazine Government Exec put it:

O’Neill calls it an “intellectual capital venture firm.” Linton Wells…describes it: “The Highlands Forum is an idea engine. It basically looks to get a small number of people, typically around 25 to 30, together to look at issues at the intersection of technology and policy.”Government executives in 2006 find themselves in a world of increasing complexity and rapid change…The ideas for dealing with such incredible challenges are out there, but not necessarily in federal agencies. Leaders need forums where they can explore ideas that could transform their operations - and their thinking - to more effectively deal with the new world. They need to rev their own idea engines.

….full text below

Read the rest of this entry >

Further to recent conversation about RFID, we don’t like to quote the Daily Mail as a source but its 5 March story on passport cracking is worth bearing in mind:

‘Safest ever’ passport is not fit for purpose In just four hours, the Mail hacked into a new biometric passport and stole the details a people trafficker or illegal migrant would need to set up a life in Britain. With out even opening the envelope containing the passport.

There are less fishy uses to which put RFID chips can be put, like library books - even the Vatican uses them.

Steve Summit posts to Peter Neumann’s Risks digest about delays in US “too little too late” efforts to secure the social security number by removing them from publicly accessible documents. He muses:

(not for the first time) what it would take to get U.S. commerce and society to properly separate the tasks of identification and authentication. Would federal legislation mandating this separation be effective?

Indeed. And what will it take to get the same point accepted in UK government? Can we do that BEFORE we use the national insurance number as our ID System index, rather than 15-25 years after?