Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the register: "Your purchase free if you don't get a receipt"? You almost certainly didn't see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability.

If you're a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner -- who was presumably elsewhere in the store -- that an employee was handling money.

The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it's impossible to insert or delete transactions. It's an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee's paycheck.

If you're a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that's how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course. But that's not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn't care one way or another about a receipt.

So here's what the employer does: he hires the customer. By putting up a sign saying "Your purchase free if you don't get a receipt," the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

"When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks' agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn't care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses--most of the fraud actually was not the cardholder's fault--while in the UK, the banks did nothing."

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn't until the UK courts reversed themselves and aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don't have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They'll align interest with capability, and they'll improve software security.

One last story… In Italy, tax fraud used to be a national hobby. (It may still be; I don't know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or they would be fined. Just as in the "Your purchase free if you don't get a receipt" story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn't work very well. Customers, especially tourists, didn't like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn't guard merchants wasn't as effective an enticement as offering people a reward if they didn't get a receipt.

Interest must be aligned with capability, but you need to be careful how you generate interest.

This essay originally appeared on Wired.com.

Posted on June 1, 2006 at 6:27 AM • 54 Comments

Comments

TimTheEnchanterJune 1, 2006 7:17 AM

In that situation it is in the customers interests not to get a receipt, how does the sign help make customers get a receipt?

Simon@AutoUpdate+June 1, 2006 7:26 AM

You are correct. It is definately in the interest of the customer not to get a receipt. But when they complain what do you think happens? The manager will need to be called, at which point the employees stealing becomes exposed.

AnonymousJune 1, 2006 7:26 AM

@Tim,

when I don't get a receipt I'd demand my money back because of the sign. If the employee would refuse this, I'd call the store owner, who should give me my purchase and my money and fire the employee.

AntonomasiaJune 1, 2006 7:26 AM

I don't need a receipt - can I have this
half-price?

Hire people you don't trust (including customers) and you can expect trouble.

TamasJune 1, 2006 7:32 AM

Hungary had a very high VAT in the early 1990s (25% for most goods). For some merchants (mostly small retails stores for durable items), if you did not ask for a receipt, you got a lower price (by 50-70% of the value added tax). Both the customers and the merchants had the incentive to do this, as they divided the benefit from tax evasion. When you were alone with the merchant, you would ask if he/she was interested in "halving the VAT" (meaning that you wanted no receipt).

Nowadays the VAT is lower, the tax authority is more efficient and I don't notice this happening anymore (I admit that I spend most of the year in the US though).

bobJune 1, 2006 7:42 AM

RFID will probably reduce it even more because now there is a transaction that can be tracked back to when and where the item was taken off the shelf.

@Tamas: Germany is just raising their VAT from 16 to 20%. Be interesting to see if that starts to be the trend there.

EuripidesJune 1, 2006 7:47 AM

In Austria (20% VAT) it's still a trend. Especially craftsmen ask if one needs a receipt.

BuckJune 1, 2006 8:18 AM

there are a couple problems with the cash-
register-receipt security system. either,

1. if the employee's attempted theft is called by
the customer, the employee can always just say,
``yep, your purchase free,'' and give the
customer back the money, making the customer
happy and him-/herself no worse off than before
but leaving the store owner worse off; or,

2. if the policy doesn't require they expose the
employee in the act, then customers can cheat and
fraudulently claim, at a later point, not to have
received a receipt for a particular purchase. i
guess the fallback here is security video, where
applicable

DJune 1, 2006 8:27 AM

@Antonomasia

...and now that you're outside the store, and the employee took your money and pocketed it, reporting the item stolen, you don't have a receipt to prove you "purchased" it.

AlexJune 1, 2006 8:30 AM

The UK (VAT 17.5%) version is to offer a "discount for cash customers" - cash, of course, is untraceable and therefore neither the VAT nor the income tax needs to be paid..

BernardoJune 1, 2006 8:38 AM

"This was a great idea, but it didn't work very well. Customers, especially tourists, didn't like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn't guard merchants wasn't as effective an enticement as offering people a reward if they didn't get a receipt."

A few years ago, the Chilean equivalent to the IRS needed to reduce tax evasion. Mind you, people could be fined if did not produce a receipt after a purchase, just like in Italy. But they decided to create a lottery that took purchase receipts as tickets, and offered a house every month as the main prize.

It was wildly successful. People looked for receipts on the street, on restaurant tables, and everywhere. Tax evasion was reduced and kept at bay even after the lottery ended.

B.

Ralph BroomJune 1, 2006 9:04 AM

Bruce, I'm generally in favor of software liability, though perhaps in the form of contracts (I admit not knowing how we'd get there without regulation).

What concerns me is the potential impact on free/open-source software. This has been the source of many great tools, but if all software producers must maintain liability for their code, it seems that this will end up restricting the benefits of the open code we've been getting, as many open-source contributors could not afford to support liability.

I suggest the following refinement: Software liability for closed-source software. You can sell it, but if you keep the source closed you have liability for it. (I'm not suggesting mandating GNU-style licensing here; just releasing the code, copyrighted as the producer needs.)

This at least gives the user community a shot at protecting themselves. If they can't, then the producer should be held accountable for protecting them.

JohnJJune 1, 2006 9:08 AM

@Buck:

There's another problem: Collusion between the customer & the cashier. To avoid being caught shoplifting on camera, the customer takes the goods to the register and pays the cashier. The cashier pockets the money & doesn't generate a receipt. The customer doesn't complain about the lack of a receipt and doesn't demand a free purchase. Later, the two meet up and divide the goods & funds.

gregJune 1, 2006 9:10 AM

In NZ the store pays VAT (GST) on the items to stock the shop. Every 2 months you put in your GST return on the goods sold and the GST is the difference. So with the "under the table" sales the tax department still get the GST from the store.

ForgetItJune 1, 2006 9:14 AM

The Italian customer receipt law was recinded some time last year - but it was in play for about a decade before that.

havvokJune 1, 2006 9:46 AM

There is little one can do when each of the people you are delegating any level of trust collude to bypass security controls. In this case though, the collusion is not as likely; you are more likely to have a fraudulent customer who purchases an item and takes a refund, then tries purchasing again until they get no reciept.

But on that note, having a policy of free purchases if you have not been given a reciept aligns well with having 'egress-filtering', those guys who stand by the door and want to inspect your purchase and your reciept. If there is an advantage to the consumer in having them there to catch people without reciepts, it would make it more palatable.

PaulJune 1, 2006 9:58 AM

Another common example of the same technique is that of pricing items at just below whole currency units (eg, 99c) - this also, in theory, forces the cashier to process the sale in order to open the cash-drawer and get the penny change. Of course, there are ways around that as well...

Andrew2June 1, 2006 10:15 AM

"In NZ the store pays VAT (GST) on the items to stock the shop. Every 2 months you put in your GST return on the goods sold and the GST is the difference. So with the "under the table" sales the tax department still get the GST from the store."

Well, almost. The tax collector gets tax on the store's supplier price, not the store's sales price, for the under-the-table goods. The retail store's own value-add (whatever that is) goes untaxed.

Dave PageJune 1, 2006 10:43 AM

Ralph:

Why not just liability for software sold, rather than given away? No need to bring open or closed source into it. Companies which make profit from selling software like RedHat and SuSE will be liable for supporting it, without harming smaller interests.

Clive RobinsonJune 1, 2006 10:52 AM

@Bruce

"In Italy, tax fraud used to be a national hobby"

It still is. A lot of people in the UK have fallen foul of house purchase tax. In Italy there is the Official Purchase price (on which tax is paid) and the Real Purchase price that may be several times that of the Official price.

Italian Solicitors are well aware of this and play the game. However UK Solicitors are not, and as they have transfered over more than 10,000GDP then they comply with the money laudering laws in Europe (introduced by Germany and France when their currencies went very soft).

The poor UK house purchasor sudenly finds themselves acused not just of tax evasion in Italy but also of serious crime (ie money laundering) and have to try and explain it to the UK authorities who take a dim view of the whole thing (especially as they make quite a bit of money out of it and if there is one thing the UK Government needs more than anything else it's money...).

So yes Tax evasion in Italy is still alive and well but only for those that live there other European residents wishing to do business there need to be carefull how they go about it.

Swiss ConnectionJune 1, 2006 11:00 AM

@Ralph Broom

Yes indeed, free software should not have liability attached to it. A related issue is software patents. There are only so many ways of designing a wheel and once this information becomes public knowledge no one should be able to patent that information for personal gain. Sure the vendor should be held liable for his implementation of the wheel, the structural integrity of the wheel and how well it will hold up when battering along a road. This is in the public interest and in the interest of safety.

When looking at software, using the right tools, many standard applications can be bolted together relatively easily. There should be no cost for the end user for this part of the equation. Then, depending on the guarantees you give in terms of service, reliability, durability and security, the software should have a price attached commensurate with the tangible benefits these guarantees bring.

The telecom industry serves as a good example of this. If you are willing to put up with bad quality, interruption of service, unwanted advertising etc. you can make your calls for free. Then directly in proportion on how well you trim these parameters in your favor, the service costs correspondingly more!

Unfortunately, unlike Europe, the US supports software patenting, which is ultimately tantamount to the licensing in ones own favor the benefits of the wheel. Not the idea of a wheel has value, but the quality of the implementation!

Of course this argument is in vain as far as the US is concerned where it is possible to patent even "one click shopping", but in Europe we still have a refreshing absence of software patents and many a small software developer is praying that extensive US pressure will not cause European legislators to topple on this issue.

Personally I resent paying for upgrades that provide for more features that I don't want, that punch holes into the security, bloat my disk, and bring my processor to its knees. I would sooner have the same features with the added benefit of working properly, more efficiently and more secure as promised, without loosing control over my computer and without having to dig deep into my pocket.

Here I completely agree with Bruce, putting a price on these values would certainly push the industry more in the right direction.

Pat CahalanJune 1, 2006 12:09 PM

@ Brian

There's a couple other thread about liability on this blog (acutally, several dozen), and there's a thread about Marcus' "Dumbest Ideas In Computer Security" that brings up the liability question. Marcus has some comments on this thread.

Someone needs to redesign the back end of Bruce's blog here so that he can apply meta tags to his posts, and then have all of the threads with the same tags show up in the sidebar. There's lots of overlap. (example -> the question of liability for free/open source software has come up before).

Regarding the particular type of theft that kicked off the original post... many cash registers are set to display numbers, but have no (or ineffective) indication capability for the display itself. For example, many registers have a tiny light to indicate "total" or "change" which lights up when the numbers are displayed.

Convenience store clerks who like to lift cash work around this by opening the drawer with a "no sale" or equivalent and rapidly keying in a fake total number. The customer sees "10.95" displayed on the register, doesn't note that the "total" light isn't lit, and promptly hands over $11.00.

I've heard of employees who use the change part of their register drawer as a type of an abacus to keep a running total of the amount of "extra, un-receipted" cash in their drawer. They don't lift cash per transaction, simply dump change in one section of their drawer to tally up the transactions.

Some suggestions for store managers...

(1) check your employee's cash drawer visually every once in a while. If you see something that looks odd (like a pile of assorted change in one place instead of in their individual cubbyholes), it's probably not a benign indicator.

(2) occasionally replace employee cash drawers with a new drawer, take a register tally, and check the totals during the middle of a shift, instead of waiting for end of shift every day.

(3) implement a "receipt or your purchase is free" program like the one discussed here.

(4) enlist a store regular with free coffee/newspaper, etc. to note, when he or she comes into the store, if the register displays the "total" or "change" indicator light.

(5) if at all possible, buy a register that has very obvious indicators (color coding, perhaps) that show "total", "tax", "change", whatever. Even better, find a model that will only display "total" and "change" numbers, not any individual numbers the employee may key in.

Ryan RussellJune 1, 2006 12:39 PM

"write-only media"?

I'm not sure they are much good if you can't read them, too. :)

John MJune 1, 2006 12:41 PM

@Dave Page
Liability for proprietary software would create an interest in security for those who have the capability to improve it (the developers). Free software gives that capability to users, who already have the interest. Whether the software is sold or given away is irrelevant - those who give away proprietary software have no more interest in making it secure than those who sell it, while users of free software have the capability to improve its security, whether they pay for it or not.

Victor BogadoJune 1, 2006 12:49 PM

@Brian

I read the article on inviting the coakroaches, and I agree in part. But the article don't get a good enouth solution, simply because people can't tell crap from a good product even if their live depend's on it.

When it come's to selecting software the problem goes beyond that, even (some) professionals and knowledgeable people would not agree on what is crap and what is not. Sure almost everyone thinks that windows and ie sucks, but on other grounds there will be endless flamewars.

I believe that some liability is the answer, not the kind of liability that the article say. But if MS were to give my money back if windows bited my data, this would be a plus. You see the liability is proporcional to the payed value for the software, while this would amount to almost nothing when we are talking about individuals like you and me, when a major enterprise get's burned it would be a major bite back.

The other advantage in what I sugest is that free software hobbist would not have to pay liability penalties. Their "customers" have payed them nothing and as it is they are liable for nothing. If the same free software is sold (say like Mysql or qt) then the company selling them is now liable. This would make redhat, sun and other's liable, but only as liable as the price tag on their box.

Pat CahalanJune 1, 2006 1:04 PM

Problem : aligning interests with capability.

One solution as proposed: make the corporation's interest align with their ability to control the software.

There is another option. Deputize the developers.

Right now, software development is not an engineering profession. Make it a profession, under the definition of "profession" used by the Department of Labor. Establish professional software engineering societies. Establish schools of software engineering, instead of computer science. Require a licensed software engineer to sign off on projects for government contracts, etc.

Added side benefit - people employing programmers will get someone with solid engineering skills, who builds things to solve problems, instead of someone who invents problems to build things.

The licensed engineer can lose his/her license (and livelihood) for signing off on insecure software.

Now if the marketing department cannot control the shipping date, the feature set, etc. by applying political pressure on the CEO/CTO/CIO, etc. It is much more difficult to force someone to meet a delivery date with insecure software, as they will be empowered to say, "I cannot sign off on this, I'll lose my license".

I can't count the number of times I've heard developers say, "I was forced into building it this way by [the customer / the marketing department / my boss / the CEO]." You give someone a deputy badge and they'll have something with which to fight political pressure.

Sure, many applications can still be built without such an oversight. But you can then require financial institutions, corporate applications that deal with customer data, governemental contracts, etc., to be certified by a professional software engineer.

Once such a profession exists, software companies will want to have them sign off on other, less critical applications as well.

David ThornleyJune 1, 2006 2:22 PM

The obvious problem with software liability is that it paralyzes free and open-source software. The less obvious problem is that it paralyzes small companies that produce commercial software, and "small" by this standard may not be small at all.

In many cases, how secure software is depends critically on how it is installed, where it is installed, how it is maintained, and similar things beyond the software producer's control. It's easy to snipe at companies for shipping software with insecure defaults, but if they shipped software with secure defaults some users would mess around and make the software insecure. A sound encryption program can be defeated by an executive who uses "sex" as his/her password and loses a laptop. Allow the producer to limit liability and we're in the exact same place we are now, where software producers evade liability.

The problem is not that software producers are not liable for software problems, but that nobody is. If a company has its customer information stolen, the company isn't out anything; it's the customers who have to deal with so-called identity theft and other issues.

If companies were genuinely liable for keeping customer information secure, then they would find ways to do it. They would establish liability agreements with their software suppliers, and would have incentive to use their software in a secure manner. They could use less secure software, but with a greater risk.

So, the debate over whether software suppliers should be liable for security issues seems to me irrelevant. First, we have to create an environment where somebody besides the victim is responsible, and then we can debate who it should be.

Preston L. BannisterJune 1, 2006 2:33 PM

Looking at what happened to the personal aviation, I have to be wary of "software liabilities". If the money ends up going mostly to lawyers, you end up damaging both the industry and customers. Flying your own airplane is now vastly more expensive, and the rate of technical progress went through a long, deep freeze.

The notion of aligning interests is good, but I see answers that rely on lawyers as risky.

The Chilean tax-lottery reported by Bernardo is brilliant. :)

DanielJune 1, 2006 2:50 PM

When I was visiting in Taiwan, I learned that they had a really clever solution to the "Italian" problem: All receipes had numbers printed on the back. There was a regular lottery, where you could win real money if your receipt's number was drawn.

So the customers will actual *want* to have a receipt. The word was that the scheme worked remarkably well.

Pat CahalanJune 1, 2006 3:17 PM

The ACM disagrees with me:

http://www.acm.org/serving/se_policy/...

"ACM is opposed to the licensing of software engineers because ACM believes that licensing would not be effective at providing assurances that software engineers could produce reliable, dependable, and usable software systems."

I'd like to hear a more robust defense of this belief...

BrianJune 1, 2006 5:16 PM

@Pat

(Full disclosure: I am a software engineer.)

Licensing of software engineers won't work because

- the field is changing quickly. The expert of today is the hopless newbie of tomorrow. Not conducive to setting standards for knowledge.

- there are few accepted best practices. On anything but the simplest of questions, there is rabid disagreement about the best way to complete a given task. People come up with new approaches to problems all the time, and sometimes those approaches are a genuine improvement over previous techniques.

Software is closer to art than engineering, which is frightening when you think how much depends on software working properly.

Pat CahalanJune 1, 2006 5:41 PM

@ Brian

(Full disclosure: I am a sysadmin) :)

> - the field is changing quickly

From a software development standpoint, especially with regards to syntax, I agree. From an engineering standpoint, though, basic engineering principles are pretty stable. And really, good coding practices are good coding practices, whether you're writing Python or Ruby or C...

> - there are few accepted best practices

I think this is a political problem, not a technical one. Sure, people come up with new approaches to problems all the time, but with regards to the overall condition of the software marketplace, this isn't the problem right now.

The *drive* in the software marketplace is to come up with new approaches, new IP, new technologies, new patents, new killer apps, etc.

The *problem* is that we're building these new whizbang tools upon what is demonstrably a horrible foundation. For technology companies, we may need new and innovative ways of doing things, but for non-technology companies that rely on technology, what we need is software that doesn't suck.

When a criminal organization can blackmail a business because it controls a 100,000 host botnet that can DDOS their site, that indicates a severe breakdown in the market.

Maybe halting innovation for a while and establishing some best practices and building secure tools might be prudent...

Bruce SchneierJune 1, 2006 6:27 PM

"In that situation it is in the customers interests not to get a receipt, how does the sign help make customers get a receipt?"

It is in the customer's best interest to point out that he has not received a receipt, which keeps the salesperson honest. (Presumably, if the salesperson forgot and was forced to give the customer the item for free, there would be paperwork involved and the salesperson would have the money docked from his pay.)

BrianJune 1, 2006 7:36 PM


I believe that Taiwan(?) handles the cash register receipt & tax recording issue by holding a lottery. Every single receipt from any store is a valid entry/ticket and everyone can play. I assume the payout (by the government) is large enough to get participation by citizens, but quite a bit less than the increased tax revenue from stores.

Compared to police hassling shoppers, this seems far better. Laws that people *want* to obey.

Brian.


quincunxJune 1, 2006 8:21 PM

"Right now, software development is not an engineering profession. Make it a profession, under the definition of "profession" used by the Department of Labor. Establish professional software engineering societies. Establish schools of software engineering, instead of computer science. Require a licensed software engineer to sign off on projects for government contracts, etc."

Man, you are just looking for a way to keep your income high. Do you know the kind of cartelization effect this would have?

Look at the medical profession, There will be a shortage of engineers. Engineers will have to intern and perform all sorts of silly routines to become part of the guild system.

This would be the perfect solution if you want MORE outsourcing, MORE corruption, MORE unemployment, and MORE black market engineering.

"Maybe halting innovation for a while and establishing some best practices and building secure tools might be prudent..."

Individuals & companies choose the amount of innovation they want. You can't use your own judgment (or that of the technocratic elite in control of said profession) to decide the proper tradeoff b/w innovation & security across the board.

You can't force regulation (which is what an occupational licensure program is) upon them and expect ANY good results to come out of it.

We don't need 'luxury-quality' engineers approved by bureaucrats, just like we don't need 'luxury-quality' doctors approved by bureaucrats

"When a criminal organization can blackmail a business because it controls a 100,000 host botnet that can DDOS their site, that indicates a severe breakdown in the market."

How? It creates a market for prevention.

That's like saying the market doesn't work because sometimes bad things happen, and we don't count the market sector that tries to prevent it.

MoJune 1, 2006 8:39 PM

I caught somebody pulling a variation on this. At my local coffee shop, I gave my usual order, and the guy at the register told me I owed my usual price. I gave him the money, he gave me my change. But as I took my coffee, I noticed that the total shown on the register was one dollar less.

I was running late, and it wasn't until I was a block away that I realized what had happened. The guy had figured out a transaction that totalled a dollar less than mine. He could then keep track of how many times he shorted the register, take out that amount at the end of his shift, and still have the totals come out OK.

Ending - I logged onto the company website and sent them an email with the story. They sent me a bunch of coupons. Didn't use them at that location, though.

BrianJune 2, 2006 9:52 AM

@Pat

> From an engineering standpoint, though, basic engineering principles are pretty stable.

You'd be surprised, the debates are about a lot more than syntax. Check out the discussions of agile programming vs waterfall methodologies (wear flame-proof gloves), or read "The Cathedral and the Bazaar." Or read "No Silver Bullet." Fred Brooks wrote that 20 years ago, and the software industry is still struggling with most of the basic problems he described.

> ...for non-technology companies that rely on technology, what we need is software that doesn't suck.

Yeah, definitely. I think companies are starting to make smarter purchasing and deployment decisions. We are still paying for past mistakes, however.

> When a criminal organization can blackmail a business because it controls a 100,000 host botnet that can DDOS their site, that indicates a severe breakdown in the market.

Not an engineering problem, that is a legal problem. ISPs that allow botnets to operate on their terriority should be subject to serious penalties. Instead, they make money off the deal.

There are two realistic options for dealing with DDOS attacks.
1) Pay large ISPs or caching services such as Akamai to help you mitigate the threat. Expensive.
2) Choose architectures that are not vulnerable to DDOS.

Pat CahalanJune 2, 2006 12:44 PM

@ quincunx

> Man, you are just looking for a way to keep your income high.

No, I'm not, I'm not even in the business of writing software. Besides, I didn't say it was the *best* option, I just said it was an alternate option to "aligning interest to capability".

> You can't use your own judgment (or that of the technocratic elite in control of said
> profession) to decide the proper tradeoff b/w innovation & security across the board.

This is what government is for... "This behaviour is unacceptable, ergo we must take steps to prevent it. An individual can't stop it, so a group must."

> You can't force regulation upon them and expect ANY good results to come out of it.

We've had this argument before, ad nauseam.

@ Brian

> You'd be surprised, the debates are about a lot more than syntax.

Yeah, I know. I've read "No Silver Bullet", "The Mythical Man-Month", about another dozen books on IT project management, development processes, etc., not to mention about a half-hundred different blogs by various developers in various stages of rapture over XP, Agile Programming, etc.

Most of them fail to recognize that no one process works universally. XP is a great idea if you have programmers that will work pairwise and a customer who is willing to sit in on the development cycle, but without the proper workforce and customer you're going to have a massive failure on your hands. Similiarly, waterfall methods work great if you have a customer who can stick to a single set of design requirements.

Methods should match the product, customer, and dev team, and not someone's magical idea of what works in every case. The only real difference between waterfall and agile is one is putting process on top of a stable target, and the other is putting process on top of a moving target.

> I think companies are starting to make smarter purchasing and
> deployment decisions.

Smarter, sure. Smart, not so much :) Well, give it time...

> ISPs that allow botnets to operate on their terriority should be subject to
> serious penalties.

This isn't enforceable, really, due to the international nature of the traffic... and I'm not sure that it is such a good idea anyway, since I don't know that I *want* my ISP monitoring my net traffic (on my home machine).

BrianJune 2, 2006 1:57 PM

@Pat

I've heard of the problems before with stopping botnets without really understanding them. Let's say that I am a large ISP, and another large ISP is hosting lots of bots in a botnets. My first step would be to complain to that ISP. If that didn't work, I would begin throttling the bandwidth to that ISP, or perhaps cut off communication with them entirely.

Are there technical reasons that can't happen? Political? Both?

Pat CahalanJune 2, 2006 2:32 PM

@ Brian

> Are there technical reasons that can't happen? Political? Both?

Depends, really. There are legal, technical, and political issues involved.

First, there can be a huge difference between an ISP or managed network provider and a telecommunications carrier. Technically, you get your pipe from a telecommunications provider, but you may or may not get your internet service from a telecommunications provider (and it lots of instances, like SBC, the telecommunications provider and the ISP are two distinct corporate entites that don't communicate with each other very well, except to share billing information).

Your telecommunications provider gives you a pipe to transmit data between one location and another, nothing else, really. Your ISP, on the other hand, gives you a block of IP addresses and agrees to accept your network traffic and route it out of their network, with some level of service. For a consumer-level account (like DSL service), there isn't much in the way of guarantees ("You'll get about 1.5mbps upstream and 256kbps downstream on average, but this isn't guaranteed). For a corporate level account (like business DSL, T1, ATM, whatever) there are lots of agreements and levels of service, etc. For really complex organizations, you can have service agreements that are hundreds of pages in length and detail traffic handling rules to an incredible level of complexity.

Nowadays lots of organizations also have managed network services, where they move their mission critical services to a completely seperate location that, in addition to providing telecommunications and ISP services also manages network traffic and provides yet another layer of service regarding filtering traffic or whatever. You also get services like Bruce's Counterpane, which is kind of like managed network services (but not really) :)

If a large ISP/network provider has a service agreement with a customer, they can't arbitrarily cut off the customer just because someone else complains about the customer, depending upon the terms of their agreement. Moreover, ISPs have lots of agreements with each other detailing how they'll handle traffic from each other's networks.

Unless your ISP is really a managed network provider, it's not really in their interest to manage traffic heading to your machines/network -> sorting through packets before delivery requires beefy routers, so your average ISP isn't going to offer to sort your traffic for you out of the good of their hearts... and they're not going to ask the ISP's connecting to them to sort and drop traffic before sending it to their network, either. Even if they did, they probably don't have an enforceable agreement with every other ISP.

The whole botnet issue is made way more complicated because the tens of thousands of hosts that suddenly start pounding on your machines aren't all on a single network. They can (and usually are) spread out over multiple networks, so profiling their traffic is really difficult - routers have to dig deeper into an IP packet to find the pattern that indicates that the packet in question is A Packet of Evil. When tens of thousands of bots suddenly start saturating their own network interfaces with DDOS packets, routers start to get backed up... they don't have the time to analyze each packet, they either have to forward it along or drop it, and the ISP isn't going to drop any more traffic than it has to -> that leads to dissatisfied customers.

If you want to know more about why its difficult to stop botnets, you'll have to read a bit about network routing protocols and how ISPs interact with each other. There's lots of good books on the subject and you can probably find a ton of info on the web.

Davi OttenheimerJune 2, 2006 4:33 PM

"The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it's impossible to insert or delete transactions. It's an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee's paycheck."

This is an interesting anecdote, but seems rather naive about information security issues in a retail environment. Perhaps the data is second-hand? Write-only media? How common is that in large retail? Transaction logs are often on DOS or Windows point-of-sale devices and offer zero to no integrity controls. But nevermind the ease of falsifying those records (do you really think that piece of paper in your hand can't be falsified either?), there are far more compelling attack vectors that make tinkering with logs a waste of time. But, as you point out, the most successful methods are those least visible to the consumers since the average consumer often has a better chance of understanding their finances and doing something about it.

Remember the milk example from the Colorado grocery store? Customers weren't impacted when their money when to the software developer instead of the store, and the store didn't notice until the developer started driving luxury sports cars...but if he had double-charged customers, or taken advantage of them in some other way, he probably never would have made it to the luxury sunglasses range before getting caught.

I guess the real moral of the story is that large companies probably should maintain their own adequate controls instead of depending on consumers as compensating ones, since the gap in between the two can be significant.

quincunxJune 2, 2006 6:46 PM

@Pat

This is what government is for... "This behaviour is unacceptable, ergo we must take steps to prevent it. An individual can't stop it, so a group must."

Like I said, Individuals & Companies are "groups" that can prevent it.

The group you are talking about is a group of bandits. Bandits can't solve the problem. Or they can at the expense of everything else I mentioned.

"We've had this argument before, ad nauseam."

You haven't refuted any of my arguments.

Your best example was "meat packing" standards - which I stated was happening anyway.

BTW, botnets would not be a big problem if the internet was private when it was formed. It should be privatized as soon as possible to avoid other problems as well.

Pat CahalanJune 2, 2006 7:24 PM

@ quincunx

> You haven't refuted any of my arguments

You haven't responded to:

http://www.schneier.com/blog/archives/2006/05/...

or

http://www.schneier.com/blog/archives/2006/05/...

It seems, to me, that most of your arguments boil down to the assertion that all of our problems derive from a strong central state. Again, this may or may not be true, but a stateless society does not therefore imply these problems will go away.

You seem to think that a weak central authority has an immunity to being overthrown and replaced by a strong central state. Given the fact that there currently are *no* industrialized, agricultural societies that are stateless, I think this position is unwarranted. Lacking a proper way to simulate the complexities of a society, there is no real way I can prove to you that you're incorrect, but by the same token you can't prove to me that eliminating a strong central state is going to cause the problems generated by a strong central state to "go away", and you certainly can't convince me that they won't immediately be replaced by bigger problems.

Like I've said before, a few times, we're going to have to just accept the fact that we disagree on this point.

> Botnets would not be a big problem if the internet was private when it was formed.

That's an interesting throw-away assertion.

MarkoJune 3, 2006 6:15 PM

@Pat

Licensure is well intended but a bad idea. There is no way to avoid the situation of the licensing board being made up of software producers and therefore representing their own interests and not the interests of the software consumers.

Not to imply anything sinister or malicious, but licensing would make things worse. The medical profession is a perfect example of how licensing is bad, e.g., shortage of doctors, expensive doctors, arbitrary restrictions, etc. We all know licensing doesn't come close to guaranteeing all licensed doctors are competent.

There is a great chapter about registration, certification, and licensing in Milton Friedman's book called "Capitalism and Freedom".

Pat CahalanJune 5, 2006 11:27 AM

@ Marko

Agreed, licensing can lead to problems. It certainly isn't a cure-all.

> We all know licensing doesn't come close to guaranteeing all licensed doctors
> are competent.

I think it does, however, come close to guaranteeing that a staggeringly high percentage of doctors are competent. Sure, there are those that are incompetent. Sure, the licensing board, enabled to police itself, doesn't do enough to remove the incompetent from the practice. That's definitely a problem. Removing licensing from the medical profession isn't going to make those problems go away, however, they'll just shift problem domain.

Anyway, the medical profession is a poor comparison. Unlike, say, architecture or civil engineering, etc., in the medical profession everyone has to be capable of making life-threatening decisions. That's a tough profession to watch over, as there are no "classes"... you either *are* a doctor or you're not.

Software engineering would be more like architecture or civil engineering (or, actually, any of the engineering professions). Most of the work done in an architectural firm, for example, is done by people who are well trained but who have not passed all their professional examinations, etc. A lead architect, however, has to sign off on the work before it is deliverable.

Now you can argue that it's still an ineffective idea. But I certainly disagree that it would make things *worse*.

Davi OttenheimerJune 5, 2006 10:14 PM

"Botnets would not be a big problem if the internet was private when it was formed."

Whoa there. I dare say the Internet would not be at all if it had been private when it was formed. Fortunately it was a public-private collaboration, and moderate heads prevailed over extremists from either camp.

"It should be privatized as soon as possible to avoid other problems as well."

Really? You mean all we have to do is privatize and we can avoid all problems? This sounds like the crack method of promoting economic theory. Hey kid, did you know your life will be so much better if you privatize the entire Internet? Trust me. All your other problems will disappear.

rhcJune 18, 2006 9:42 PM

The State of Texas for the Doghouse!

This year in Texas the state paid a Utah company several hundred thousands of dollars to analyze the local No Child Left Behind assessments for statistical anomalies. The stated goal of such analysis was to catch cheating on this high stakes test, which at certain times determine promotion and graduation opportunities. Of course the analysis finds much evidence of cheating, and we are now in our yearly ritual of catching the evil cheaters

Of course this would all go away if the State of Texas would align interest with capability. For example, the interest of the student is to graduate. Most students do this by working to make a suitable grade and gain credit for classes needed to graduate. We align interest with capability by providing regular grades and yearly promotions from grade level to grade level. However, the state test does not do this. The state test cannot be used for grades, and in high school cannot be used for promotion purposes. So, even though the state test is used to punish schools at each grade level, there is no student interest in passing the test until the senior year, at which time it no longer counts for the school. This leads to a situation where students 'blow off' the test for the first three years of high school, and then become desperate to pass it, using any means necessary.

On the other side is the teacher. The interest of the teacher is to get as many students as possible to do well on this test. If enough students do not do well, then the teacher will not receive bonuses and can even be fired or forced into humiliating menial positions. However, as the teacher cannot use any of the standard carrots and sticks, and as the teacher cannot even be present while the one of his or her students takes the test, the teacher is hard pressed to find ways to encouraged the unmotivated kid to take the test, as opposed to just fill in bubbles. Since the teachers interest is for the students to pass the test, but the capability is limited, some teachers, using perfectly ration if unethical logic, will cheat.

The end situation if that the alignment of interest and capability of the test taker and test monitor is not to create a secure situation, but in fact to cheat on the test. All that can happen to the student is that he or she will have to take the test again. All that can happen to the teacher is a loss of the job, and maybe a teaching certificate, which will happen anyway if enough students do not pass.

I am sure that most people will just say that the teachers need to teach better. To that I ask if any rational person is going to do their best on something that has absolutely no immidiate consequences, but might have negative consequences on a person you might not much care for? For instance, if leaving the trash can overnight would annoy your neighbor, might you not do it even though it is strictly against various regulations?

Given how the State of Texas has so perfectly misaligned interest with capability, might I nominate them for the Doghouse?

LawrenceJune 19, 2006 9:20 AM

Shanghai has a good way of getting you to want receipts in restaurants.

Each tax receipt is like a lottery ticket. They all have a scratch area, and you can 'win' small amounts of money on random tickets. Tickets that don't win can be checked online against the tax bureau's site for a further draw for money.

It works pretty well - nowadays everyone wants a receipt.

GabriellaSeptember 17, 2010 5:41 PM

I have a huge question, i have a seven eleven where i live and i go there almost every day..now i never get a receipt of the purchased items i buy!! And they have made me over pay many times. My question is, what can i do to stop this so they give a receipt atomatically after i have payed?? And im not the only person who has a problem with this either. Could i call the IRS on them?? Thank you for the help

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..