WEIS 07

I've written about the 2006 Workshop on Economics of Information Security (WEIS); I think it's the most interesting security conference out there.

WEIS 2007 will be held at Carnegie Mellon University on June 6-7. There's a call for papers, if you want to submit something.

Posted on November 22, 2006 at 2:16 PM • 18 Comments

Comments

Clive RobinsonNovember 23, 2006 7:59 AM

@Bruce,

Now you and Ross have crosed InfoSec with the works of Adam Smith (baptized on June 5, 1723 in Kirkcaldy, Fife, Scotland)

How about doing it again with the works of Charles Darwin (Born February 12, 1809 in Shewsbury England)

And bringing things a little more up to date ;)

quincunxNovember 23, 2006 2:29 PM

'A whole sheet, or just a little torn off bit ?'

A whole sheet, two sides, two columns, size 4 font.

@ Clive

What is up with the fetish of applying the narrow biological evolution of Darwinism to other phenomena? Why not keep it confined to where it belongs.

Clive RobinsonNovember 24, 2006 5:12 AM

@quincunx

"What is up with the fetish of applying the narrow biological evolution of Darwinism to other phenomena?"

The glib answer is that it is the "narrow biological" creatures that design, use and pay for them (ie You, me and maybe a few other readers of this page ;)

On a more serious note if you look at systems like "general coverage" or "Street" "Crime Prevention CCTV" in towns they no longer work. Why because they are static and cannot evolve as fast as those they are observing.

It is one of the reasons you have the teenage "Hoodie" wandering about your average town center. Interestingly not because the majority of them are criminals / vandales / sociopaths etc, it is partly the culture, and partly as a response to the CCTV and the attitudes of the "biological" back up systems.

It has kind of turned into a way of "thunbing your nose" at authority, however genuine criminals just love it as they blend right in...

We now know that the majority of general / street CCTV systems get put into place for all the wrong reasons (ie spending money to save / get money, visable security, etc). However they do not do what they where originaly advertised as doing which is "Crime Prevention" at best they have become after the event diagnostic tools, at worst they provide "cheep thrils" for the operators and program fillers for cable TV...

Other areas of technology which have, apparently unpredictably become "must haves" not just for individuals but organisations as well, are things such as EMail, SMS and more recently Camera Phones.

For instance insurance companies are just starting to realise that phones with high quality digital cameras in are effecting them financialy, likewise the Police and Traffic Wardens (Parking Control Officers).

Once upon a time these organisations at grass roots where able to be a law unto themselves, now they have become accountable to just about everybody who points-n-clicks, and we are all starting to have one in our pocket (in the UK at least).

Also the pictures / video / sound recordings have nice little time stamps on them that most judges will currently either accept or not question.

As a recent little "social engeneering" experiment, every time I see a Traffic Warden hanging around parked cars I very obviously get my Phone out and look like I am taking photos of them and the cars.

So far about 80% of the time they react very badly, and try and hide or get back on their motorbikes and drive off why?

Am I scaring them, if so why?

Could it be because they think "they are actually doing something wrong" in order to get their "ten cents on the dollar" of the parking fine or could it be some other reason?

I only started the experiment after a friend had done the same research on the Police. I have been told the Police now only occasionaly get upset if you photo them, and then seldom ask for the phone. Also when told "to late I've sent it" they tend to stop asking, but importantly they do not stop what they are doing, why?

More intersestingly some Police Officers, tend to forget that there are street CCTV looking at them or their own cars have cameras filming them as has recently been seen world wide with a suspect being badly beaten by two officers.

All of these behaviour paterns are "evolutionary" responses to a change of stimulus. And as has been seen natural selection has started to take effect. Those criminals who don't take precautions in front of CCTV often end up out of circulation, likewise Police officers have been taken off street duty pending further enquiries.

If when designing a system you do not take evolution into account then your system becomes either usless or increasingly vulnerable, eitehr way it's a wasted oportunity and wasted resources (Think TAX dollars).

In the case of fixed street CCTV it is increasingly becoming usless carecriminals dress and act in ways that give no apparent identification or they avoid them and commit crime else where.

In the case of phishing it is now starting to become directed.

Likewise anti-virus companies are indicating that zero day and other new attacks are now being reserved for specific not general attacks by crackers joining the payrole of cyber criminals. The apparent intent is "for profit" not "for braging points"

I am not the only person to think like this see,

http://www.ft.com/cms/s/...

I'm probably the first to call it an evolutionary response though.

Clive RobinsonNovember 24, 2006 5:17 AM

@quincunx

Oh one point I forgot,

"Security officers who don't evolve become unemployment ststistics"

Is that likley to effect you ?

AleNovember 24, 2006 5:51 AM

In my view, economics and evolution are linked at the deepest level. In both cases we have sets of autonomous agents interacting through shared resources. Competition, adaptation and escalating measure-countermeasure cycles are present in both. It may be that it is just two sides of the same coin.

Clive RobinsonNovember 24, 2006 8:36 AM

@Ale,

You might well be right, at the level I studied them the maths / models where different.

However you do raise an interesting point, at what point does a model become non field specific, ie almost fundemental to the way we work, in a large number of fields.

"Renaissance man" such as Leonardo da Vinci practiced in many fields (art, engineering, music, medicine, book binding, etc). One of their strength came from recognising the "transferable technology" from one field to another.

RegularNovember 24, 2006 11:57 AM

@quincunx

"What is up with the fetish of applying the narrow biological evolution of Darwinism to other phenomena? Why not keep it confined to where it belongs."

Fetish? Narrow? ROTFL. The... irony... is... too... much...

Bwa-ha-ha-ha-ha-ha /\/\/\/\

quincunxNovember 24, 2006 6:28 PM

@Regular

"Fetish? Narrow? ROTFL. The... irony... is... too... much..."

Is that your argument?

@ Clive Robinson

I simply disagree with the practice of comparing technological progress/cultural development with Darwin's biological evolutionary process. The two are very different.

I pretty mostly agree with the things you have said, but I do not draw conclusion that they are 'evolutionary', and many of the activities you describe can be explained with economics and public policy anyway.

quincunxNovember 24, 2006 10:04 PM

'The glib answer is that it is the "narrow biological" creatures that design, use and pay for them (ie You, me and maybe a few other readers of this page ;)'

If by pay, you mean I have money extracted from me by the threat of imprisonment then yes, I do pay. Though I think robbed is the more appropriate term.

'On a more serious note if you look at systems like "general coverage" or "Street" "Crime Prevention CCTV" in towns they no longer work. Why because they are static and cannot evolve as fast as those they are observing.'

Correct, but I could have told you that without bringing in evolution theory. I would have just told you that demand for privacy leads to methods of finding a supply.

'It is one of the reasons you have the teenage "Hoodie" wandering about your average town center. Interestingly not because the majority of them are criminals / vandales / sociopaths etc, it is partly the culture, and partly as a response to the CCTV and the attitudes of the "biological" back up systems.'

A large element of this 'culture' is produced by systematic disemployment of the youth by public policy and compulsory schooling. Hardly a natural occurrence.

'If when designing a system you do not take evolution into account then your system becomes either usless or increasingly vulnerable, eitehr way it's a wasted oportunity and wasted resources (Think TAX dollars).'

That in no way proves that CCTV are ineffective (notice I take no side). What it does prove is that CCTV on government roads, built by government contractors does not work. In the sphere of politics one can not tell which solutions will work because they are implemented by force and one-size-fits-all compromises.

I understand that it's a waste of resources, but to whom? It is clear that there are beneficiaries who have a central bureau to go to and enforce their ideas on what 'security' means. The manufacturers have a keen interest in colluding with the state, opinions of security-minded intellectuals not with standing. All that is necessary is to sell the idea to the state. The question is do we want to have an organization funded by robbing the masses, and handing out money & concessions to third parties?

'Likewise anti-virus companies are indicating that zero day and other new attacks are now being reserved for specific not general attacks by crackers joining the payrole of cyber criminals. The apparent intent is "for profit" not "for braging points"'

The question is what fuels these emerging profits?

And what is holding back solutions?

Well, you know my answer.

Don BNovember 26, 2006 3:35 PM

@quincunx

You might be taken more seriously if you presented your ideas in a practical way. You propose a goal, yet you never mention how that goal can be achieved.

In other words, how could such a transition happen?

As a profitable 20-year business owner, I recognize the value of social and economic stability. It lets me focus on running and expanding my business, instead of on defending my life and property. If a percentage of my profit goes to the government, at least I know what that percentage is and can account for it in my business planning, practices, and pricing.

Instability presents a much greater risk, however.

I can see no way to achieve your stated goal without a lot of social and economic instability, lasting an unknown period of time, with unknown overhead costs in the end. The "overhead costs" or percentage I already pay to the government today might be less than the percentage I would have to pay tomorrow for private contractors to provide the same level of stability in your end-state. You pitch a rosy future, but return on investment, transition costs, and cost/benefit are all unquantified in your proposal. As a rational risk-minimizing capitalist, it hardly seems like a risk worth taking.

If you know of some plan for reaching your proposed goal, you might improve your credibility by describing it, even in general terms. Without such a plan, your proposal is equivalent to Aesop's ancient fable "Belling the Cat":

http://www.bartelby.com/17/1/67.html

quincunxNovember 27, 2006 6:59 PM

"You might be taken more seriously if you presented your ideas in a practical way. You propose a goal, yet you never mention how that goal can be achieved."

That is true, but it is a very difficult procedure that is bound to come up against powerful special interests.

The best way, unfortunately is the slow way: a general delegitimation of the state.

"In other words, how could such a transition happen?"

When more people know who the enemy is.

Once that happens people will seek alternate institutions for their security needs. I encourage this practice.

"As a profitable 20-year business owner, I recognize the value of social and economic stability. It lets me focus on running and expanding my business, instead of on defending my life and property."

I have much respect for entrepreneurs. I too recognize that stability is a good thing. I just don't see this it. I see short-term stability and nothing more.

"If a percentage of my profit goes to the government, at least I know what that percentage is and can account for it in my business planning, practices, and pricing."

You know what they are NOW, do know what they will be?

I know nothing about your business, but I suspect that having double digit inflation and double digit interest rates, like they were in the 70s, would not be good for your business. Nor will the immense amount of ad-hoc legislation that will be introduced during this period.

I suspect that we will face this problem soon. I have many reasons for this speculation, which I will not delve into.

'The "overhead costs" or percentage I already pay to the government today might be less than the percentage I would have to pay tomorrow for private contractors to provide the same level of stability in your end-state.'

That is impossible. Removing de jure monopolies and oligopolies can only increase the standard of living. If you need empirical proof of this look no further than eastern Europe.

Actually a much better example is: the internet. What happened once the NSF removed it's commercial restrictions AND released it's routing table to private companies in 1992?

Now imagine that same outcome (which we all know) spread out as wide as possible.

"You pitch a rosy future, but return on investment, transition costs, and cost/benefit are all unquantified in your proposal."

They are unquantified for a good reason. I am not selling snake oil.

Supply & Demand will have to adjust for every industry that is freed. This adjustment will be imputed back into the basic elements of land, labor, capital.

The longer we allow the state to grow, the harsher will the adjustment have to be. And seeing as how history is riddled with failed states, I do not hesitate to think that the same fate awaits our society as well.

'As a rational risk-minimizing capitalist, it hardly seems like a risk worth taking."

Fine. But why not encourage the more risk-taking capitalists? And investing in them if it works out?

"If you know of some plan for reaching your proposed goal, you might improve your credibility by describing it, even in general terms."

I doubt that I can improve my credibility by describing an all encompassing central plan that will lead to the goal. In fact I refuse to do it precisely because all central planning is pretentious and snake-oil selling. In trying do so, I invalidate my goal.


Don BNovember 27, 2006 8:43 PM

@quincunx

As a business owner listening to your sales pitch, you still lack credibility.

You have no discernible track record making accurate predictions, so I don't know what credence to give your forecasts. You could be right or you could be wrong. There's no way to tell. I'm not asking for a "centralized plan", just any kind of plan, suggestion, or recommendation. Without some way to evaluate you and your claims, it is impossible to distinguish your claims from snake oil, or to distinguish you from a random security crackpot (no offense intended).

I don't recall ever seeing you offer any concrete recommendations that anyone could apply, other than the removal of the government. That's hardly a practical suggestion, though, for what should be obvious reasons: they will not go gently into that good night. It's one thing for, say, the Soviet Union to crumble from within. It's another thing entirely to try pushing it over if it's not ready to crumble.

I lived through the 70's, and I lived through the dot-com bubble, yet the basics of sound business practice really didn't change. It wasn't easy to expand or even survive in the 70's, but it was possible. Same for the dot-bomb era.

Re: Eastern Europe, they are still strongly influenced by oligopolies. And a lot of people there now have a lower standard of living and a bleak future, chiefly older pensioners. Even if the average standard of living improved, that says nothing about the extremes.

You seem to have a lot of theoretical knowledge but very little real experience with hands-on capitalism: the actual operation of business. This does nothing to enhance your credibility. Every business owner knows the future is unpredictable: forecasts are not facts, and long-range forecasts are usually pointless. Delivering real goods and services today is very different from delivering far-flung speculation about the shape of tomorrow. Even businesses who offer planning services today have a credible business plan and some kind of track record of performance. The ones that don't, well, they don't get much business.

If you really believe what you're saying, I encourage you to build a business with it. If it succeeds, you'll learn a lot about how business really works. If it fails, you'll still learn a lot about how business really works. On the other hand, if all you do is make pseudonymous posts on another person's security blog, well, one really has to question the quality of your message. It lacks the ring of truth.

quincunxNovember 27, 2006 11:24 PM

'You have no discernible track record making accurate predictions, so I don't know what credence to give your forecasts. You could be right or you could be wrong. There's no way to tell.'

I rely only on good economic theories, specifically the ones that state that you can't infuse trillions of dollars of fiat currency into an economy, engage in a war, and not expect a depression, especially with the 20th century record.

'There's no way to tell. I'm not asking for a "centralized plan", just any kind of plan, suggestion, or recommendation.'

OK, I'll give it a shot. These are of course generic, not necessarily for you. I can only suggest individual peaceful action on both moral and practical grounds.

Use e-gold.
Use private arbitration.
Buy more foreign goods.
Do not buy gov bonds.
Do not use banks. (if at all possible, not the case for most).
Boycott all government-sponsored corporations.
Use all the legitimate loopholes when doing your taxes.
Support institutions with the same goal.
Allways go to court for traffic & other minor violations.
Buy guns. Practice shooting them.
Insist that the state follows its own rules (ie point out that compulsory schooling, jury duty and military service all violate the 13th ammendment).
Continue to point out the crimes of the state against civil society.

Encourage more people to do the above, to the personal extent possible.

As far as political action, the best ones are the ones that limit the supply of money to the government. All the rest follow.

I encourage the abolishion of the withholding tax (that WWII emergency measure that never seems to go away, [thank you Milton Friedman]), the income tax, the federal reserve, etc.

I do not have practical strategies that will work against the tremendous special interests, other than hopeful legislation, that will be immediately blocked.

Most importantly rail against all legislation that does not remove previous legislation.

'It's one thing for, say, the Soviet Union to crumble from within. It's another thing entirely to try pushing it over if it's not ready to crumble.'

Woah, you make it sound like the SU crumbled by some mysterious forces outside of individuals acting on such a desire to crumble it.

'You seem to have a lot of theoretical knowledge but very little real experience with hands-on capitalism: the actual operation of business. '

I think that is the case for many intellectuals in their ivory towers, yet they seem to have a lot of opinion on essentially economic matters as well. For some reason in their case, book- reading works just as well as business-making.

'If you really believe what you're saying, I encourage you to build a business with it'

Working on it, need to save up more. I appreciate the sincere suggestion.

'On the other hand, if all you do is make pseudonymous posts on another person's security blog, well, one really has to question the quality of your message.'

Bah! Most people do that!

Don BNovember 28, 2006 6:12 PM

@quincunx

Thanks for the list of recommendations. It turns out I'm already doing many of them. The ones I'm not, well, the reasons vary.

Re: SU crumbling. My poor choice of words. Of course it crumbled due to the actions of individuals. Many of them. Acting at the right time. My main point was that there were many others who came before who tried the same thing and paid with their lives. Timing and circumstance is crucial for success. This seems self-evident, but it's shocking how often it's ignored.


" Bah! Most people do that!"

Not sure how to read that: as agreement or rebuff.

The crucial qualifier in my comment was "all". If that's ALL you do, then your message lacks the ring of truth. And yes, I'd say if that's ALL most people do, then it also lacks the ring of truth. In other words, talk is cheap, actions count, and so on. All as implied by the "Belling the Cat" fable.

quincunxNovember 28, 2006 9:04 PM

'Thanks for the list of recommendations. It turns out I'm already doing many of them. The ones I'm not, well, the reasons vary.'

I am glad that I was able to provide what you wanted.

'Not sure how to read that: as agreement or rebuff.'

I meant that most people post with pseudonyms comment on this blog. It's sorta the common thing. That is all I meant.

'In other words, talk is cheap, actions count, and so on.'

I agree. Though this proverb is a little harsh, talk is action, too :)

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..