Today’s net.wars (at NewsWirelessNet or at home) is My Weekend in Second Life and explains why I think SL is going to be increasingly important (rather than the fad a lot of people dismiss it as).

In the midst of it there is a brief digression to yesterday’s InfoSecurity conference, which I wanted to talk a little more about here.

First, in connection with geek ghettoes: the professionalism panel made it plain that the “geek ghetto” isn’t *enough* of a ghetto any more, at least in the terms of these infosec professionals. There is this to be said for geek ghettoes: when they are small and tight and the culture is close-knit, everyone knows who can be trusted and who can’t. In a world full of badly understood technology, there is a lot of efficiency in that. There is, of course, also a lack of diversity, and as a result you get things like software designed by people who think WordPerfect’s DOS commands were intuitive. The solution under discussion was to create a trusted third party - a professional body that would endorse credentials, screen members, etc. This is of course how we manage doctors, lawyers, and many other professionals. But the most interesting suggestion was that infosec professionals could gain their infosec-cred by working in the public sector, only moving on to the private sector after they had sufficient endorsement/expertise/qualifications/credentials. Should government be in the business of endorsing security professionals?

The second thing was the hacker panel, which “Watching Them Watching Us” attended. I was amused that the organizers got a big audience for this panel by advertising that the participants’ names were being withheld “for legal reasons”. As it turned out, everyone except WTWU, who went as “Mark”, gave their full names and tolerated being photographed, and the only one with sufficient cracker-cred to have been prosecuted was the only one the journalists all recognized: Gary McKinnon, currently trying to avoid being extradited to the US. (McKinnon seemed to have been terrified by his lawyers out of saying anything much.)

In that panel, there few things of note:

1) Government statistics wrt their own systems are not getting better. The US latest audit found that under 4% of penetration attempts were detected, and under 1% sparked any action.

2) Outsourcing contributes to the problems by increasing the number of players.

3) There were 71 successful prosecutions under the Computer Misuse Act between 2001 and 2005, and 36 failed ones (figures do not include Scotland). Number of foreigners ever extradited to the UK to stand trial for computer crimes: zero. By comparison, there were 81,121 crimes committed in London last year. There are of course computer crimes that are prosecuted under other laws.

4) The move of high-tech crimes into the Serious Fraud Office has made it harder to report computer crimes and has made investigators more remote.

5) The Crown Prosecution Service needs to be educated out of prosecuting people like Daniel Cuthbert (spyblog.org.uk has the details of that one).

6) Police chiefs are not rewarded for the number of phishers etc. they catch, but rather for the number of burglaries, etc., they solve. One proposal was that if everyone sent every phishing/scam/fraud message to the police for a month the police might begin to see our problems as something big they should be handling. (Mark again, considering launching it on spyblog).

wg

I just checked in online for tomorrow’s Air Canada flight, and was asked the Three Luggage Questions. The last of these was slightly different than the one I’ve usually met in person at the airport:

>>Do you have anything in your hand baggage which is sharp or pointed, or any item that could be adapted to cause an injury to another person?>>

Obviously, the correct answer is “No”. But there is no way *anyone* can honestly say “No” to the second half of the question. Got a sweater in your luggage? Great. Cut (with your teeth, nails, key, or belt buckle) a thread at one edge. Unravel until you have sufficient length of yard to double over. Voila! Rope to strangle someone with. More to the point, there is a certain type of mind - I call it a (stage) magician’s mind - that can see clever ways to use ordinary items that would never occur to most of us. And of course a key could be pretty dangerous if applied to a jugular with sufficient force.

I think we should avoid creating systems that teach people to use correct untruths rather than to think.

wg

So the story goes like this: Kathy Sierra, who blogs about interface design, cancelled her appearance at this conference because she was getting death threats posted on her blog (and elsewhere). Her story about it is here.

Public personalities have had to deal with this kind of thing for years - as we all become to some extent public personalities through our visible online interactions, is dealing with this kind of thing something we must all learn to do? (Without in any way blaming the victim, I have to say that in my own experience dealing with online trolls your best strategy is to ignore them; expressing distress feeds them.)

wg

In his second talk in two days at the LSE (this one co-sponsored by the BCS) Bruce Schneier spoke about the economics of information security. Economics is a useful tool for shining a light on information security questions which make no sense from the technology point of view, he said, describing 10 trends in info security:

1. Economic value of information: an old notion with new implications. It’s now normal to have companies whose physical assets are worth less than information assets which can be used for marketing, process streamlining, personalisation, law enforcement and forensics. “If information didnt have value computer security wouldn’t exist.”

2. Networks as critical infrastructure. If it’s important these days it comes over the net. When did you last get something important in the mail?

3. Third parties controlling information. “Your information isn’t controlled by you.” Our existing legal protections are written in terms of your person, home, car - things under your control. But your emails reside at Google or your ISP, the merchant controls your shopping data and the hospital (or in the UK a central authority) your medical records. Paris Hilton didn’t leak messages from hr own phone - they were hacked from T-Mobile. It’s all stored elsewhere under someone else’s control.

4. Criminals are thriving on the net. It used to be hobbyists defacing web sites; now the dominant hackers are criminals trying to take your money with spam, fraud due to impersonation and denial-of-service extortion. There’s a business model for spam and a market for bot networks. It’s global and by some accounts comparable in value to the market for illegal drugs. “They’re not going away and we’re not going to solve this.”

5. Complexity is the worst enemy of security. If computers get better faster and cheaper, why is security getting worse? The answer is complexity. If we wanted a secure operating system we’d start by going back to DOS, but we love complexity. Security is getting better like everything else, but complexity is getting worse faster.

6. Slower patching; faster exploits. There’s a weird business model for software: we build it, throw it out there, and fix it later. You can either have patches fast, or well tested. But not both. Hence Microsoft’s move to a monthly “patch Tuesday”.

7. Sophistication of automatic worms. They used to be simple creatures. Now they’re polymorphic, metamorphic, they use Google for vulnerability assessment. New worms dont advertise their presence with a cheeky message. They report back to their owner to ask for instructions- to sniff passwords, collect a keystream, infect other platforms. It’s no longer about novelty to score style points -it’s about repeatedly doing what’s effective.

8. Untrustworthiness of the endpoints. The traditional security model, on which something like PGP encryption or SSL is based, requires trusted end points. This model fails. The attackers use Trojans or spyware. The bad guy captures your keystream, or decrypted data, or does back ground transactions once you’re authenticated. We’re trying, eg with Micsosoft Vista, but these endpoints are hard to fix.

9. The end user seen as attacker. The aim of DRM is to protect someone else from you. It reduces your functionaity, pisses you off and you cant delete it. It sounds like a hacking tool; it looks like malicious code (eg the Sony root kit). The security expert cant protect you and protect from you at the same time. “If I protect you it makes it harder from Sony. If I make it easier for Sony it’s easier for the bad guy.” So we’re set to get more and more invasive tools that assume we are the bad guys.

10. Regulatory pressure. It’s hard to get people to buy security: it’s a “fear” sell. As a greed sell it never works. But what does work to sell security is regulation. Fear of failing an audit is way bigger than fear of data theft. “It annoys me no end, but there you have it.”

Things are getting worse not better. They’re getting more complicated. The non-technical aspects are more important than the technical. And increasingly the driver is economics and not computer science.

The basic economics of security are that if you lose £1000 by being mugged and it happens once evrey ten years, it’s worth spending £100 preventing it. But this model breaks down as the likelihood becomes zero and the effects catastrophic, and you’re trying to multiply zero by infinity, and there’s no numeric grasp of the risk.

Economics gives us the idea of an externality - a cost borne by someone other than the person responsible. We pollute a river to make chemicals, those downstream suffer. To correct this either the authorities fine the polluter, or those who suffer sue. We need a similar fix to the problem of buggy software. A lot of security paradoxes can be explained by externalities. eg phone security, data thefts. Buggy software, insecure home computers. We need to align ability to mitigate risk with financial responsibilty.

The recommended next steps are:

1. Understand the security problem and stakeholders

2. Undertand the security and nonsecurity tradeoffs

3. Align the economic incentives (otherwise the problem will never get solved).

4. Implement countermeasures to reduce risk.

5. Iterate as technology changes things, making it faster easier cheaper forthe bad guys as well as the good guys.

To hear Bruce Schneier twice in three days isn’t too much. He’s an exuberant communicator, beholden to no-one, even in his new mega-corporate BT entity. As well as  using economic persectives to shine a new light on infomration security he’s just reaching out to other disciplines like the psychology of risk, and is excited by the power of an interdisciplinary approach.

For regular updates check out his Cryptogram newsletter or his blog.

Bruce Schneier has a piece on the psychology of security, and our ability to make tradeoffs.

The truth is that we’re not hopelessly bad at making security trade-offs. We are very well adapted to dealing with the security environment endemic to hominids living in small family groups on the highland plains of East Africa. It’s just that the environment in New York in 2006 is different from Kenya circa 100,000 BC. And so our feeling of security diverges from the reality of security, and we get things wrong.