Today’s net.wars (at NewsWirelessNet or at home) is My Weekend in Second Life and explains why I think SL is going to be increasingly important (rather than the fad a lot of people dismiss it as).

In the midst of it there is a brief digression to yesterday’s InfoSecurity conference, which I wanted to talk a little more about here.

First, in connection with geek ghettoes: the professionalism panel made it plain that the “geek ghetto” isn’t *enough* of a ghetto any more, at least in the terms of these infosec professionals. There is this to be said for geek ghettoes: when they are small and tight and the culture is close-knit, everyone knows who can be trusted and who can’t. In a world full of badly understood technology, there is a lot of efficiency in that. There is, of course, also a lack of diversity, and as a result you get things like software designed by people who think WordPerfect’s DOS commands were intuitive. The solution under discussion was to create a trusted third party - a professional body that would endorse credentials, screen members, etc. This is of course how we manage doctors, lawyers, and many other professionals. But the most interesting suggestion was that infosec professionals could gain their infosec-cred by working in the public sector, only moving on to the private sector after they had sufficient endorsement/expertise/qualifications/credentials. Should government be in the business of endorsing security professionals?

The second thing was the hacker panel, which “Watching Them Watching Us” attended. I was amused that the organizers got a big audience for this panel by advertising that the participants’ names were being withheld “for legal reasons”. As it turned out, everyone except WTWU, who went as “Mark”, gave their full names and tolerated being photographed, and the only one with sufficient cracker-cred to have been prosecuted was the only one the journalists all recognized: Gary McKinnon, currently trying to avoid being extradited to the US. (McKinnon seemed to have been terrified by his lawyers out of saying anything much.)

In that panel, there few things of note:

1) Government statistics wrt their own systems are not getting better. The US latest audit found that under 4% of penetration attempts were detected, and under 1% sparked any action.

2) Outsourcing contributes to the problems by increasing the number of players.

3) There were 71 successful prosecutions under the Computer Misuse Act between 2001 and 2005, and 36 failed ones (figures do not include Scotland). Number of foreigners ever extradited to the UK to stand trial for computer crimes: zero. By comparison, there were 81,121 crimes committed in London last year. There are of course computer crimes that are prosecuted under other laws.

4) The move of high-tech crimes into the Serious Fraud Office has made it harder to report computer crimes and has made investigators more remote.

5) The Crown Prosecution Service needs to be educated out of prosecuting people like Daniel Cuthbert (spyblog.org.uk has the details of that one).

6) Police chiefs are not rewarded for the number of phishers etc. they catch, but rather for the number of burglaries, etc., they solve. One proposal was that if everyone sent every phishing/scam/fraud message to the police for a month the police might begin to see our problems as something big they should be handling. (Mark again, considering launching it on spyblog).

wg

I just checked in online for tomorrow’s Air Canada flight, and was asked the Three Luggage Questions. The last of these was slightly different than the one I’ve usually met in person at the airport:

>>Do you have anything in your hand baggage which is sharp or pointed, or any item that could be adapted to cause an injury to another person?>>

Obviously, the correct answer is “No”. But there is no way *anyone* can honestly say “No” to the second half of the question. Got a sweater in your luggage? Great. Cut (with your teeth, nails, key, or belt buckle) a thread at one edge. Unravel until you have sufficient length of yard to double over. Voila! Rope to strangle someone with. More to the point, there is a certain type of mind - I call it a (stage) magician’s mind - that can see clever ways to use ordinary items that would never occur to most of us. And of course a key could be pretty dangerous if applied to a jugular with sufficient force.

I think we should avoid creating systems that teach people to use correct untruths rather than to think.

wg

Are we moving towards a world where things become so complex (by nature or by design) that only tecchies can decipher or understand them? Does this create geek ghettoes, inhabited by a marginalised master-race, who are in fact the only people who understand the systems on which our lives depend? 

The issue was put forward to me in these terms:

technology continuing to advance beyond the understanding of any but the most dedicated experts leading to misunderstanding and misuse of novel technologies

Serious thought.

We dubbed this notion “geek ghettoes” and started to explore it. But Peter quickly found that term “Geek Ghettoes” has been coined to describe a physical place where marinalised geeks - the new social outcasts - hang out, such as Akihabara in Tokyo.

Do we have an issue we need a name for: the idea that technology becomes so complex most of us lose the plot? Plus a social development (interesting but not a major issue for the critical national infrastructure) that marginalised geeks gather socially or in MUDs to talk about anime and machinima in places that come to be called geek ghettoes?

Or are these two sides of the same coin?

Chris Rimmer writes in with four themes of what might go wrong in our e-enabled world:

1. Trying to fix ‘people problems’ with technology.

This theme mainly stems from watching various governments, in particular our own, try to implement forms of electronic voting. It is clear that there is a problem to be solved here. Voter turnout is getting lower and so the public at large has less and less involvement with the political process. To fix this, the government has decided that turnout can be boosted by making it easier to vote. This of course could have disastrous consequences as the security pitfalls of many forms of electronic voting are well known.

To make matters worse, I would suggest that they are fixing the wrong problem. I love using dodgy metaphors, so bear with me here. If you consider politics as a product which you want to sell to the public, there are two things you can do to increase sales. You can make the product more appealing or you can lower the price. In this context you can consider the price to be the effort required to cast a vote. The government has decided that it needs to lower the ‘price’, by making it easy to vote. But all the surveys show that the electorate is disillusioned with politics in general. They are not staying at home because they are interested in politics but can’t make it down the road to vote. To get the genuine involvement of the electorate the product needs to be made more appealing, but unfortunately this is a much harder and longer term effort.

So my fear is that other problems in society will have similarly damaging technological solutions applied when the problem that needs solving is much deeper.

2. Losing control of the data that rules our lives.

There is much said about privacy and security in our increasingly electronic world. But increasingly the data that matters most to us is outside of our control already. Take the Royal Mail’s PAF database which is used by increasing numbers of businesses to map customers to postcodes and hence to locations. This data is plainly outside of our control. But if your house doesn’t appear in this database then you will suddenly find that it is very difficult to access a whole range of services. It’s bad enough finding out that your house doesn’t officially exist, but imagine a future where you have to produce your ID card to do pretty much anything. What to do you when someone screws up at the Identity and Passport Service and *you* don’t officially exist?

3. Automated law enforcement.

I’m not talking about Robocop-style police walking the street, although that would be pretty scary. I’m talking about some trends that are already with us. I don’t have a big problem with the idea of speed cameras but in some ways this could be seen as the thin end of the wedge. Law is built upon people making judgements about what is “reasonable”, something which is not easily automated, but that hasn’t stopped people from trying.

When technology is introduced to try to stop something happening in the first place, additional legislation is then required to make circumventing it illegal. So we end up with the much reviled DMCA law in the United States. This makes it a crime to circumvent digital protections on a media file regardless of whether your actions would otherwise have been legal. This path could lead us into Kafkaesque scenarios where we have the right to do something but actually exercising that right causes us to break the law.

4. Technology introduced without any thought to privacy.

Almost every new technology introduced creates a new data ‘footprint’ that reduces our privacy. Some schemes, such as an all encompassing identity register make us more susceptible to identity theft by aggregating data about us and then allowing those with access to the data to see large chunks of it. Other changes have a smaller impact, but they all add up.

It is quite possible with a little thought and the use of cryptography to allow us to keep much more control over the amount of information we give out. Unfortunately, the people introducing these grand schemes
(politicians) don’t seem to know that this can be done. I think this is because there is no ‘real world’ analogue to, for example, proving the claim that you are over 18 without giving out your date of birth. There also seems to be the attitude that loss of privacy is the price that must be paid for technological ‘progress’.

Like all else on Blindside these are personal views and not related to his employer. Chris’s work blog is here. Sorry you couldn’t make the barn-raising Chris - hope to meet you soon.

At the ORG party tonight, William and I got talking about multiple channels of communication, particularly wrt this site - how to manage wiki vs blog vs whatever else comes along.

I recently reviewed Scott Rosenberg’s recent book, Dreaming in Code, for ZDNet (on which site I cannot find the review). The book covers Mitch Kapor’s current project to create a Web-based, open source successor incorporating the spirit of the dear departed Lotus Agenda. One of the issues he raises as a problem for the team working on “Chandler” is that they have so many channels of communication - five mailing lists, an IRC channel, a wiki, several blogs, etc. - that they are confused. What goes where, and if you want to find something, where do you look?

I think this is an increasing problem for people (and for government in determining which interactions are “official” and bear legal weight, and which are/do not). If you have an IM chat with an Inland Revenue official should what he says be as binding as if he said it in his office or on the phone? Is there a hierarchy where one form bears more weight than another? (Written, signed letter - official Web page - phone - email…) Instinctively, it seems to me that we are likely to give the oldest forms of communication the greatest weight, where in many cases what should matter is the greatest certainty that the communication is authorized, knowledgeable, correct, and unadulterated.

There is also the issue of expectations. At my tennis club, everyone is now very confused. They started using email to save money, but where they have everyone’s postal addresses and those notifications always went out universally, not everyone has email, and the mail doesn’t reliably reach some of those who do. Notices on the club bulletin board are only seen by people who already go down to the club (and not always them), and people forget to look at the Web site. It is not in my view reasonable to say, as some do, that

In terms of finding stuff, I suppose you can throw the whole lot - wikis, blogs, web pages, IRC logs, usenet newsgroups - into a big pot and do a search, but this isn’t always the solution either, since to find everything on a particular topic you need people to ensure that all the metadata is consistent - searches will obviously fail if one group calls it a spade and another group calls it a shovel. (Even if neither is correct or both are.)

Somewhere some information science student is writing a PhD on the problems of multi-channel communication.

wg

Today’s net.wars is about Tim O’Reilly’s and Jimmy Wales’s proposed “code of conduct” for the blogosphere. This relates to the already mentioned death threats to Kathy Sierra, who was supposed to speak at etech. Another case, I’m afraid, of people responding to one kind of threat by trying to impose the wrong kind of order. They’re reacting like politicians/legislators instead of old-time Netizens.

wg

We have a new Security and Resilience Industry Suppliers Council (RISC - see Intellect press release or SBAC press release). Says chair Stephen Phipson:

“Through the formation of RISC the UK security and resilience sector will act as one, in concert with government, to deliver a significantly fortified frontline of security and resilience.”RISC is an alliance of suppliers, trade associations and academics. It provides a single industry voice and channel of communication for government on strategic issues affecting national security and resilience. This will foster unprecedented industry-government partnership and dialogue to counter international and domestic terrorism.

The Spy Blog takes a characteristically dim view of this.

If we could say our IT trade association had a tragic flaw, it would be its inability to ensure that what its members deliver actually meet customers’ or end-users’ needs. It doesnt even seem to show any interest in the idea, and the consequences in public-sector IT continue to be problematic.

The RISC might well fall into the same pattern.

It can’t make the world a safer place by creating a spirit of military-industrial cosiness and selling taxpayers more technology. It’s the human dimension of security that matters most. It’s not clear from what we see so far which RISC member would speak up to that effect.

I often think spam is a great example of everything that can go wrong with technology in general and egovernment in particular: the Internet and its many facilities - MUDs, IRC, Usenet, email, search engines, IM, blogs, and wikis were all designed with the same anarchic optimism in mind. (Anarchy in the old sense, in which people eschew laws, rules, and governments and choose to have faith that others will be good actors, hence optimistic.) And along come spoilers who turn the system to their own advantage and are not interested in community standards.

This is my writeup for the Reg of last Friday’s antispam conference at MIT. This was a small gathering - maybe 30 or 40 people - but it included representatives of several household name ISPs as well as researchers who had traveled from as far as Italy and Croatia to present papers. Someone (who prefaced every single thing he said with “You can’t quote me”) commented that he thinks this type of small, brainy gathering is far more likely to come up with solutions than the better-known industry forums that are much bigger. In general, he says, those fora come up with just more of the same.

Among things that didn’t get into the Reg writeup:
- a paper (Angela Blanco from the University of Salamanca) carefully demonstrating that multiple classifiers really are better than one (which sounds obvious but still needs to be proved)
- a paper (Amanda Watlington) on the difference between search engine marketing and search engine spam
- a presentation (Six Apart) on splogs and blog spam generally
- a proposal for reputation technologies (this guy didn’t get very far because early on he dissed Spamhaus, which most people agree is hugely helpful, and which many major ISPs rely on; his company wants to sell reputation management as a service)
- a paper (Alberto Trevino, Brigham Young University) on header relay detection (this paper was roundly criticized by Eric Allman, creator of Sendmail, on the grounds that it violates RFC2821 and has other significant problems such as relying on people to read bounce messages, which themselves are usually spam, so people have stopped reading them)
- a paper proposing a way to modify SPF so that legitimate remailing (eg, Blackberry) would not be blocked; the presenter believes that this sort of problem is blocking wider adoption of SPF
- Bitdefender on multiple filters

The papers should all be up soon (if they’re not already) here. (Good practice: they went around collecting the presentations from the speakers onto a USB key before letting them leave.)

Some things about this:
1) Spam is a hugely intractable problem
2) There is no single solution (because there is no one type of spam and no one motive or modus operandi of the spammers)
3) Government action in the form of laws and regulation is not much help (although the existence of laws may help prosecutors once a spammer is actually caught - yet that does not result in any reduction of the problem).
4) Every system that people use to communicate with each other is vulnerable.
5) Services involving public collaboration must be designed with the understanding that they will be vulnerable to spam once they reach a certain prominence or size. (Law blogs last year were estimating the readership at which comment spam became an issue at around 10,000; I have a blog that’s hardly used yet gets comment and trackback spam - because my site’s page rank is 6, which is fairly high for an individual Web site). Things like Google’s Adsense and Amazon associates have created economic motives for search engine spam splogs, yet no one would have expected them to contribute to the spam problem. In the case of wikis, you’d think spam would be a problem but the ability to roll back changes tends to obviate a lot of it; abuse in the form of content spoilage seems to be the more acute problem with bigger wikis, to which the only answer is human moderators.

wg

This could be a case of government procurement muscle used to effect changes in the supply side. From Techworld

The US federal government has launched a programme that will require federal agencies to insist on security standards from suppliers, a move that some argue will have a far-reaching impact on most large and medium-sized organisations buying PCs.The government confirmed the move in a memo late last month and will roll the programme out in several stages during the course of this year. By 1 February of next year, all federal agencies will be required to use secure software configurations when they deploy Windows XP or Vista.

The scheme matters to the outside world because software suppliers who want to sell to the US government will have to certify that their equipment works on operating systems set up to work securely, said Alan Paller, director of research at the Sans Institute security research centre, in a recent memo.

Currently organisations never know if securely configuring Windows will break their applications. The new US government programme could make things simpler for IT managers by providing clearly understood standard security configurations that are backed up by the federal government’s purchasing power, Paller said.

“It provides the incentive ($65bn/£33bn) in US government IT purchasing each year, and confidence (agreed upon configurations), to allow every software vendor to ensure and affirm the software they sell works on the secure configurations,” he wrote. “That takes the pain out of secure configuration and rapid patching.”

Paller said secure configurations could slow the spread of botnets, reduce patching delays and stop many attacks directly.

“This initiative will affect every medium and large buyer of computers running Windows software,” Paller wrote.

The White House memo is here