Schneier on Security

A blog covering security and security technology.

« Dutch eVoting Scandal | Main | My Trip to India »

March 23, 2007

Misplacing the Blame in Personal Identity Thefts

Really good article:

In a recent dissection of the connection between gaming and violence, the term "folk devil" was used to describe something that can be labeled dangerous in order to assign blame in a case where the causes are complex and unclear. The new paper suggests that hackers have become the folk devils of computer security, stating that "even though the campaign against hackers has successfully cast them as the primary culprits to blame for insecurity in cyberspace, it is not clear that constructing this target for blame has improved the security of personal digital records."
Part of this argument is based on the contention that many of the criminal groups that engage in illicit access to records are culturally distinct from the hacker community and that the hacker community proper is composed of a number of subcultures, some of which may access personal data without distributing it.

But, even if a more liberal definition of hacker is allowed, they still account for far less than half of the data losses. The report states that "60 percent of the incidents involve missing or stolen hardware, insider abuse or theft, administrative error, or accidentally exposing data online."

Those figures come from analyzing the data while eliminating a single event, the compromise of 1.6 billion records at Axciom. The Axciom data loss is informative, as it reveals how what could be categorized as a hack involves institutional negligence. The records stolen from the company were taken by an employee that had access to Axciom servers in order to upload data. That employee gained download access because Axciom set the same passwords for both types of access.

Posted on March 23, 2007 at 10:29 AM • 18 Comments • View Blog Reactions

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

The best targets for this kind of information (the companies that keep large databases of personal information) have the least accountability for any harm caused through their negligence. That leads to a disincentive for anyone to improve the situation.

The majority of people who collect this information use it for marketing purposes. The goals of the marketing organizations are focused on acquiring customers. Data security isn't even an afterthought in these organizations.

Posted by: Mike Sherwood at March 23, 2007 11:02 AM

Blame Canada!

Posted by: Mike Schiraldi at March 23, 2007 11:40 AM

Those evil-doers are certainly to blame. When fighting this evil, you are either with us or against us.

Hackers, crackers, and users constitute an axis of evil. That means they are armed with axes to hack away at our security doors in order to steal our identities.

Posted by: aikimark at March 23, 2007 11:54 AM

I have nothing much to add, except I've used "scapegoat" instead of "folk devil". I figured folk devil is just the new word.

Posted by: jammit at March 23, 2007 12:06 PM

I'm assuming "folk devil" is from the German "Volksteufel", which is an old expression.

Means something like the same as a scapegoat, except that the original scapegoat was a physical goat that could have the blame for some action or event symbolically attached to it, and then be killed as ritual atonement.

Posted by: dragonfrog at March 23, 2007 1:32 PM

So I guess the subtle distinction is that a 'scapegoat' exists to formally take the blame for something and be punished for it, while the 'folk devil' exists to remove the blame from someone else so that they won't be punished. The difference being that there's no real expectation of the folk devil ever being called to task, as it may not physically exist.

Posted by: Bryan Feir at March 23, 2007 1:57 PM

The term "folk devil" does come from German "Volksteufel", but has been used in English translation by sociologists since the 1970s:

http://en.wikipedia.org/wiki/Folk_devil

It is obviously somewhat similar in meaning to "scapegoat", but there are differences. A scapegoat is a person or group maliciously, falsely or inflatedly blamed for some actual problems, the usual implication being that another bears the real blame. When "folk devil" is used, the implication is that a network of folklore and urban legend has surrounded the victim. As a result the victim is blamed not only for real problems caused by others but fanciful ones arising from the folkloric framework, and even a general miasma of evil with no specific problem identified.

Posted by: Roger at March 23, 2007 6:04 PM

Isn't this like saying "Muggers blamed for lost wallets"? Without a correlation of damages to incidents, this data doesn't seem particularly interesting for a threat assessment point of view.

Posted by: Dutcher at March 23, 2007 6:18 PM

Given the much broader veil of secrecy now, and the dependency of the US government on private firms whose very contract details are classified, I fear that there could be large data losses that will not be disclosed to the public. An affected citizen might wonder, Who let my personal data get out, and find that no answer is forthcoming.

Posted by: shimmershade at March 23, 2007 8:53 PM

"An affected citizen might wonder, Who let my personal data get out, and find that no answer is forthcoming."

Indeed, it will become a felony to ask.

Posted by: the other Greg at March 24, 2007 4:10 AM

It's Acxiom NOT Axciom.

Posted by: Randall at March 24, 2007 11:03 AM

@Dutcher:
True. Criminal or malicious activity should only be one category of many. A situation where a mugger steals your wallet carries a much higher risk than a situation where you simply misplace your wallet (and may find it the next day). I wonder how much real damage results from criminal activity as opposed to simple negligence.

Posted by: Francois at March 24, 2007 6:20 PM

WE disgruntled employees will make YOU pay.

Posted by: Dave at March 24, 2007 6:37 PM

It's kinda silly to blame the hackers.

When designing a system, you have to assume that any security holes left open will eventually be exploited. That's the law of the jungle.

The real question how much resources you're willing to devote to making your system more secure. If you decide that a countermeasure isn't worth the tradeoff in time and resources, that's your call. If someone then compromises your security, you have nobody to blame but yourself.

Posted by: Jeremy Pollack at March 25, 2007 11:40 AM

Indeed a lot of breaches are "accidental". There are some tools that try to mitigate this type of data leaks. I wrote about them here: http://securetheworld.blogspot.com/2007/03/methods-for-network-based-devices.html

Posted by: Mohit at March 25, 2007 5:56 PM

On one hand, you can "blame the victim" by simply stating (truthfully) that all too often users GIVE away access to confidential systems and data.
On the other, you can show that access controls and policies simply aren't being utilized in a logical fashion.
On the third hand (What? You don't have a third hand?), it's the criminals.
It's a hybrid problem that requires multiple layers of solutions.
But, as we all know, that tends to cost money.
How much security are you comfortable with compared to how much security a corporation is willing to provide?
Even more importanly, how much security are you willing to demand?

www.securityrants.com

Posted by: Mark Reinertson at March 26, 2007 10:06 AM

This is the first time I've encountered "Folk devil"/Volksteufel. Seems handy. I will try it out in my discourse.Almost as useful a term as "urban legend."

Posted by: Bill Higgins-- Beam Jockey at March 27, 2007 8:53 AM

It's just like that there Iranium.
Everyone knows Iranium is a NuCooler Weapon of Mass Distrustion.

So lets blame them coding-addiicted hackers, crackers, and users Would you want coding addicts doing stuff that changes your life?

Posted by: peter at March 28, 2007 12:53 PM