Schneier on Security

echo • January 31, 2024 9:10 AM

I’m slightly scratching my head over this one but it’s a fair reinvention of the European Convention and GDPR i.e. it’s not a good idea to scare or exploit or kill your customers if you want to stay in business.

Oddly, surveys indicate than banks followed by private business are often more progressive than state sector institutions certainly when it comes to speed of implementing new measures. It’s the opposite to what most people expect. It’s also really weird that some companies and financial backers with the worst public image can be the most progressive with investment and recruitment practices. I’m still scratching my head over that one especially as things can head badly south at the implementation stage. The internal organisational skew plus monitising both the upside and downside might be a thing there. Give people metrics and hard backstops and internal pressure to ensure consistency from the top down and implementation seems to be fine.

Security by obscurity can and does work but needs a set of internal rules to police itself to maintain the obscurity. Of course when those rules are breached it’s anything goes so the question is can the system age out before the secret is discovered. Sometimes not always as a certain Orange *&%$ Gibbon has learned.

It’s interesting to observe from this that security of a system isn’t just technical security but also economic security and social security. The presence of one enhances the others.

echo • January 31, 2024 10:56 PM

The CFPB notes that some companies have tried to claim that their current systems provide security by being difficult to use. As security experts, we disagree: Such aging financial systems are notoriously insecure and simply rely upon security through obscurity.

Nitpicking the details…

You don’t need to be a security expert to dislike bad systems. Off the top of my head I have never met a professional developer who believes systems shouldn’t be well formed and implemented and the data accessible and portable. Yes, I know there are hacks around and mangled code and byzantine data structures especially with legacy code in some sectors but that’s mostly the fault of management and recruitment. I’d like to know what IT director peddled the line about security. As it happens the last IT director, a none software developer, I came cross who pulled this kind of thing I managed to get fired with their name all over the newspapers and their reputation ruined. I may also have managed with varying levels of indirection to get the entire board of a trust suspended then fired for a failure of standards in a none IT related field. A third organisation which was a “cash cow” managed to go bankrupt after the board ignored my systems and procurement advice. They would have gone bankrupt anyway because the culture at the top was causing this kind of problem across the whole company.

If I were a director of any one of these finance companies I’d recommend the company view the proposed regulations as protecting them from themselves.

I don’t know where any lawyers may be involved if they were but you can only turn a blind eye to bullshit so much without risking your licence.

English law is different to US law in the sense you cannot sign your rights away and under the GDPR the data is yours. My view is who owns the data needs to be challenged. There may also be wiggle room under “joint enterprise”. Incorrect data is in English law an “improper document” i.e. a fraud potentially prosecutable under the Fraud Act.

https://livrepository.liverpool.ac.uk/3012313/1/201042524_Sep2017.pdf

Prosecuting Fraud in the Metropolis,
1760-1820
By Cerian Charlotte Griffiths

I have an occasional interest in legal archaeology. The “Doom Book” and “deep law” and “law of the land” is a hoot depending on whether you are buying or selling. English case law relating to fraud prior to 1776 which may apply in the US is a bit thin. “Cheating” “false pretences” and “artful device” are keywords. Also “protect the conditions of commercialism” and “larceny by a trick”.

The most significant example of such a situation is Pear’s Case. In Pear’s, a horse was hired with the intent to take the horse and not return it. The court interpreted the law such that this behaviour fell under larceny. The defence was that the owner had consented to giving the horse to Pear and consequently, there had been no seizure. The court rejected this claim, holding that even though the owner had consented to the passing of the possession of the horse, he had not consented to the passing of the title of the horse and thus, the horse was not legally transferred, but merely bailed to Pear. Thus, by taking the horse in its entirety, both the actual horse and the title to the horse, Pear had seized the horse and therefore committed larceny. This distinction has frequently been referred to as ‘larceny by a trick’. Such reasoning was applied by the law and the courts into the nineteenth century with case law supporting the doctrine that licencing of goods, as bailment of goods, does not equate to the free transfer of those goods. Therefore, the intentional and dishonest taking of those goods still amounts to larceny.

Interesting… Sadly this is a 1779 case. It’s interesting reading this though when you compare it with licensing software i.e. you sign away all your rights (this only applies under the US jurisdiction not UK) and don’t own a product you just bought. Curious, that when patents and copyright are sufficient protection. As we know 99% of the reason is to avoid liability and arm twist and con people into accepting poor quality goods without redress.

I mention this more to draw out another point of view. I didn’t expect looking at the evolution of 18th Century English law compared to the evolution of 20th/21st Century US law would turn out this way.

By examining a select few of the Forgery Acts, it becomes apparent how even the larger pieces of forgery legislation was very specific in its application, such as the Forgery Act of 1562 which extended forging to ‘false and untrue charters, evidence, deeds and writings.’ Elizabethan legislation introduced a wide range of forgery offences including the forging of wills, which would previously have been considered private documents and therefore, would not have been indictable as a forgery. Here again we see the keen distinction deployed in the early modern era between private and public harms. Again, there is a gradual move in jurisprudence to relocate previously defined private trespasses into the criminal courts.

UK government and police are very weak on holding state officials (including government ministers) and complex white collar crime to account. That’s a combination of the “god chap” doctrine and the state tends not to prosecute the state, and underfunding. Stuff could be prosecuted which explains, in part, the rise in private prosecutions which post Lord Lucan scandal require permission by the Director of Public Prosecutions. Yes, the establishment had forgot such a possibility existed so after a private case was sucessful they were a tad alarmed so shut down this “loophole”. While it’s strictly speaking not required I look with envy at the US having the RICO Act and the French putting ex Presidents and officials in the slammer.