Entries Tagged "essays"

Page 42 of 48

Is There Strategic Software?

If you define “critical infrastructure” as “things essential for the functioning of a society and economy,” then software is critical infrastructure. For many companies and individuals, if their computers stop working, they stop working.

It’s a situation that snuck up on us. Everyone knew that the software that flies 747s or targets cruise missiles was critical, but who thought of the airlines’ weight and balance computers, or the operating system running the databases and spreadsheets that determine which cruise missiles get shipped where?

And over the years, common, off-the-shelf, personal- and business-grade software has been used for more and more critical applications. Today we find ourselves in a situation where a well-positioned flaw in Windows, Cisco routers or Apache could seriously affect the economy.

It’s perfectly rational to assume that some programmers—a tiny minority I’m sure—are deliberately adding vulnerabilities and back doors into the code they write. I’m actually kind of amazed that back doors secretly added by the CIA/NSA, MI5, the Chinese, Mossad and others don’t conflict with each other. Even if these groups aren’t infiltrating software companies with back doors, you can be sure they’re scouring products for vulnerabilities they can exploit, if necessary. On the other hand, we’re already living in a world where dozens of new flaws are discovered in common software products weekly, and the economy is humming along. But we’re not talking about this month’s worm from Asia or new phishing software from the Russian mafia—we’re talking national intelligence organizations. “Infowar” is an overhyped term, but the next war will have a cyberspace component, and these organizations wouldn’t be doing their jobs if they weren’t preparing for it.

Marcus is 100 percent correct when he says it’s simply too late to do anything about it. The software industry is international, and no country can start demanding domestic-only software and expect to get anywhere. Nor would that actually solve the problem, which is more about the allegiance of millions of individual programmers than which country they happen to inhabit.

So, what to do? The key here is to remember the real problem: current commercial software practices are not secure enough to reliably detect and delete deliberately inserted malicious code. Once you understand this, you’ll drop the red herring arguments that led to CheckPoint not being able to buy Sourcefire and concentrate on the real solution: defense in depth.

In theory, security software are after-the-fact kludges because the underlying OS and apps are riddled with vulnerabilities. If your software were written properly, you wouldn’t need a firewall—right?

If we were to get serious about critical infrastructure, we’d recognize it’s all critical and start building security software to protect it. We’d build our security based on the principles of safe failure; we’d assume security would fail and make sure it’s OK when it does. We’d use defense in depth and compartmentalization to minimize the effects of failure. Basically, we’d do everything we’re supposed to do now to secure our networks.

It’d be expensive, probably prohibitively so. Maybe it would be easier to continue to ignore the problem, or at least manage geopolitics so that no national military wants to take us down.

This is the second half of a point/counterpoint I did with Marcus Ranum (here’s his half) for the September 2006 issue of Information Security Magazine.

Posted on September 12, 2006 at 10:38 AMView Comments

Educating Users

I’ve met users, and they’re not fluent in security. They might be fluent in spreadsheets, eBay, or sending jokes over e-mail, but they’re not technologists, let alone security people. Of course, they’re making all sorts of security mistakes. I too have tried educating users, and I agree that it’s largely futile.

Part of the problem is generational. We’ve seen this with all sorts of technologies: electricity, telephones, microwave ovens, VCRs, video games. Older generations approach newfangled technologies with trepidation, distrust and confusion, while the children who grew up with them understand them intuitively.

But while the don’t-get-it generation will die off eventually, we won’t suddenly enter an era of unprecedented computer security. Technology moves too fast these days; there’s no time for any generation to become fluent in anything.

Earlier this year, researchers ran an experiment in London’s financial district. Someone stood on a street corner and handed out CDs, saying they were a “special Valentine’s Day promotion.” Many people, some working at sensitive bank workstations, ran the program on the CDs on their work computers. The program was benign—all it did was alert some computer on the Internet that it was running—but it could just have easily been malicious. The researchers concluded that users don’t care about security. That’s simply not true. Users care about security—they just don’t understand it.

I don’t see a failure of education; I see a failure of technology. It shouldn’t have been possible for those users to run that CD, or for a random program stuffed into a banking computer to “phone home” across the Internet.

The real problem is that computers don’t work well. The industry has convinced everyone that people need a computer to survive, and at the same time it’s made computers so complicated that only an expert can maintain them.

If I try to repair my home heating system, I’m likely to break all sorts of safety rules. I have no experience in that sort of thing, and honestly, there’s no point in trying to educate me. But the heating system works fine without my having to learn anything about it. I know how to set my thermostat and to call a professional if anything goes wrong.

Punishment isn’t something you do instead of education; it’s a form of education—a very primal form of education best suited to children and animals (and experts aren’t so sure about children). I say we stop punishing people for failures of technology, and demand that computer companies market secure hardware and software.

This originally appeared in the April 2006 issue of Information Security Magazine, as the second part of a point/counterpoint with Marcus Ranum. You can read Marcus’s essay here, if you are a subscriber. (Subscriptions are free to “qualified” people.)

EDITED TO ADD (9/11): Here’s Marcus’s half.

Posted on August 22, 2006 at 12:35 PMView Comments

Last Week's Terrorism Arrests

Hours-long waits in the security line. Ridiculous prohibitions on what you can carry onboard. Last week’s foiling of a major terrorist plot and the subsequent airport security graphically illustrates the difference between effective security and security theater.

None of the airplane security measures implemented because of 9/11—no-fly lists, secondary screening, prohibitions against pocket knives and corkscrews—had anything to do with last week’s arrests. And they wouldn’t have prevented the planned attacks, had the terrorists not been arrested. A national ID card wouldn’t have made a difference, either.

Instead, the arrests are a victory for old-fashioned intelligence and investigation. Details are still secret, but police in at least two countries were watching the terrorists for a long time. They followed leads, figured out who was talking to whom, and slowly pieced together both the network and the plot.

The new airplane security measures focus on that plot, because authorities believe they have not captured everyone involved. It’s reasonable to assume that a few lone plotters, knowing their compatriots are in jail and fearing their own arrest, would try to finish the job on their own. The authorities are not being public with the details—much of the “explosive liquid” story doesn’t hang together—but the excessive security measures seem prudent.

But only temporarily. Banning box cutters since 9/11, or taking off our shoes since Richard Reid, has not made us any safer. And a long-term prohibition against liquid carry-ons won’t make us safer, either. It’s not just that there are ways around the rules, it’s that focusing on tactics is a losing proposition.

It’s easy to defend against what the terrorists planned last time, but it’s shortsighted. If we spend billions fielding liquid-analysis machines in airports and the terrorists use solid explosives, we’ve wasted our money. If they target shopping malls, we’ve wasted our money. Focusing on tactics simply forces the terrorists to make a minor modification in their plans. There are too many targets—stadiums, schools, theaters, churches, the long line of densely packed people before airport security—and too many ways to kill people.

Security measures that require us to guess correctly don’t work, because invariably we will guess wrong. It’s not security, it’s security theater: measures designed to make us feel safer but not actually safer.

Airport security is the last line of defense, and not a very good one at that. Sure, it’ll catch the sloppy and the stupid—and that’s a good enough reason not to do away with it entirely—but it won’t catch a well-planned plot. We can’t keep weapons out of prisons; we can’t possibly keep them off airplanes.

The goal of a terrorist is to cause terror. Last week’s arrests demonstrate how real security doesn’t focus on possible terrorist tactics, but on the terrorists themselves. It’s a victory for intelligence and investigation, and a dramatic demonstration of how investments in these areas pay off.

And if you want to know what you can do to help? Don’t be terrorized. They terrorize more of us if they kill some of us, but the dead are beside the point. If we give in to fear, the terrorists achieve their goal even if they were arrested. If we refuse to be terrorized, then they lose—even if their attacks succeed.

This op ed appeared today in the Minneapolis Star-Tribune.

EDITED TO ADD (8/13): The Department of Homeland Security declares an entire state of matter a security risk. And here’s a good commentary on being scared.

Posted on August 13, 2006 at 8:15 AMView Comments

Doping in Professional Sports

The big news in professional bicycle racing is that Floyd Landis may be stripped of his Tour de France title because he tested positive for a banned performance-enhancing drug. Sidestepping the entire issue of whether professional athletes should be allowed to take performance-enhancing drugs, how dangerous those drugs are, and what constitutes a performance-enhancing drug in the first place, I’d like to talk about the security and economic issues surrounding the issue of doping in professional sports.

Drug testing is a security issue. Various sports federations around the world do their best to detect illegal doping, and players do their best to evade the tests. It’s a classic security arms race: improvements in detection technologies lead to improvements in drug detection evasion, which in turn spur the development of better detection capabilities. Right now, it seems that the drugs are winning; in places, these drug tests are described as “intelligence tests”: if you can’t get around them, you don’t deserve to play.

But unlike many security arms races, the detectors have the ability to look into the past. Last year, a laboratory tested Lance Armstrong’s urine and found traces of the banned substance EPO. What’s interesting is that the urine sample tested wasn’t from 2005; it was from 1999. Back then, there weren’t any good tests for EVO in urine. Today there are, and the lab took a frozen urine sample—who knew that labs save urine samples from athletes?—and tested it. He was later cleared—the lab procedures were sloppy—but I don’t think the real ramifications of the episode were ever well understood. Testing can go back in time.

This has two major effects. One, doctors who develop new performance-enhancing drugs may know exactly what sorts of tests the anti-doping laboratories are going to run, and they can test their ability to evade drug detection beforehand. But they cannot know what sorts of tests will be developed in the future, and athletes cannot assume that just because a drug is undetectable today it will remain so years later.

Two, athletes accused of doping based on years-old urine samples have no way of defending themselves. They can’t resubmit to testing; it’s too late. If I were an athlete worried about these accusations, I would deposit my urine “in escrow” on a regular basis to give me some ability to contest an accusation.

The doping arms race will continue because of the incentives. It’s a classic Prisoner’s Dilemma. Consider two competing athletes: Alice and Bob. Both Alice and Bob have to individually decide if they are going to take drugs or not.

Imagine Alice evaluating her two options:

“If Bob doesn’t take any drugs,” she thinks, “then it will be in my best interest to take them. They will give me a performance edge against Bob. I have a better chance of winning.

“Similarly, if Bob takes drugs, it’s also in my interest to agree to take them. At least that way Bob won’t have an advantage over me.

“So even though I have no control over what Bob chooses to do, taking drugs gives me the better outcome, regardless of what his action.”

Unfortunately, Bob goes through exactly the same analysis. As a result, they both take performance-enhancing drugs and neither has the advantage over the other. If they could just trust each other, they could refrain from taking the drugs and maintain the same non-advantage status—without any legal or physical danger. But competing athletes can’t trust each other, and everyone feels he has to dope—and continues to search out newer and more undetectable drugs—in order to compete. And the arms race continues.

Some sports are more vigilant about drug detection than others. European bicycle racing is particularly vigilant; so are the Olympics. American professional sports are far more lenient, often trying to give the appearance of vigilance while still allowing athletes to use performance-enhancing drugs. They know that their fans want to see beefy linebackers, powerful sluggers, and lightning-fast sprinters. So, with a wink and a nod, they only test for the easy stuff.

For example, look at baseball’s current debate on human growth hormone: HGH. They have serious tests, and penalties, for steroid use, but everyone knows that players are now taking HGH because there is no urine test for it. There’s a blood test in development, but it’s still some time away from working. The way to stop HGH use is to take blood tests now and store them for future testing, but the players’ union has refused to allow it and the baseball commissioner isn’t pushing it.

In the end, doping is all about economics. Athletes will continue to dope because the Prisoner’s Dilemma forces them to do so. Sports authorities will either improve their detection capabilities or continue to pretend to do so—depending on their fans and their revenues. And as technology continues to improve, professional athletes will become more like deliberately designed racing cars.

This essay originally appeared on Wired.com.

Posted on August 10, 2006 at 5:18 AMView Comments

Bot Networks

What could you do if you controlled a network of thousands of computers—or, at least, could use the spare processor cycles on those machines? You could perform massively parallel computations: model nuclear explosions or global weather patterns, factor large numbers or find Mersenne primes, or break cryptographic problems.

All of these are legitimate applications. And you can visit distributed.net and download software that allows you to donate your spare computer cycles to some of these projects. (You can help search for Optimal Golomb Rulers—even if you have no idea what they are.) You’ve got a lot of cycles to spare. There’s no reason that your computer can’t help search for extraterrestrial life as it, for example, sits idly waiting for you to read this essay.

The reason these things work is that they are consensual; none of these projects download software onto your computer without your knowledge. None of these projects control your computer without your consent. But there are lots of software programs that do just that.

The term used for a computer remotely controlled by someone else is a “bot”. A group of computers—thousands or even millions—controlled by someone else is a bot network. Estimates are that millions of computers on the internet today are part of bot networks, and the largest bot networks have over 1.5 million machines.

Initially, bot networks were used for just one thing: denial-of-service attacks. Hackers would use them against each other, fighting hacker feuds in cyberspace by attacking each other’s computers. The first widely publicized use of a distributed intruder tool—technically not a botnet, but practically the same thing—was in February 2000, when Canadian hacker Mafiaboy directed an army of compromised computers to flood CNN.com, Amazon.com, eBay, Dell Computer and other sites with debilitating volumes of traffic. Every newspaper carried that story.

These days, bot networks are more likely to be controlled by criminals than by hackers. The important difference is the motive: profit. Networks are being used to send phishing e-mails and other spam. They’re being used for click fraud. They’re being used as an extortion tool: Pay up or we’ll DDoS you!

Mostly, they’re being used to collect personal data for fraud—commonly called “identity theft.” Modern bot software doesn’t just attack other computers; it attacks its hosts as well. The malware is packed with keystroke loggers to steal passwords and account numbers. In fact, many bots automatically hunt for financial information, and some botnets have been built solely for this purpose—to gather credit card numbers, online banking passwords, PayPal accounts, and so on, from compromised hosts.

Swindlers are also using bot networks for click fraud. Google’s anti-fraud systems are sophisticated enough to detect thousands of clicks by one computer; it’s much harder to determine if a single click by each of thousands of computers is fraud, or just popularity.

And, of course, most bots constantly search for other computers that can be infected and added to the bot network. (A 1.5 million-node bot network was discovered in the Netherlands last year. The command-and-control system was dismantled, but some of the bots are still active, infecting other computers and adding them to this defunct network.)

Modern bot networks are remotely upgradeable, so the operators can add new functionality to the bots at any time, or switch from one bot program to another. Bot authors regularly upgrade their botnets during development, or to evade detection by anti-virus and malware cleanup tools.

One application of bot networks that we haven’t seen all that much of is to launch a fast-spreading worm. (Some believe the Witty worm spread this way.) Much has been written about “flash worms” that can saturate the internet in 15 minutes or less. The situation gets even worse if 10 thousand bots synchronize their watches and release the worm at exactly the same time. Why haven’t we seen more of this? My guess is because there isn’t any profit in it.

There’s no real solution to the botnet problem, because there’s no single problem. There are many different bot networks, controlled in many different ways, consisting of computers infected through many different vulnerabilities. Really, a bot network is nothing more than an attacker taking advantage of 1) one or more software vulnerabilities, and 2) the economies of scale that computer networks bring. It’s the same thing as distributed.net or SETI@home, only the attacker doesn’t ask your permission first.

As long as networked computers have vulnerabilities—and that’ll be for the foreseeable future—there’ll be bot networks. It’s a natural side-effect of a computer network with bugs.

This essay originally appeared on Wired.com.

EDITED TO ADD (7/27): DDOS extortion is a bigger problem than you might think. Right now it’s primarily targeted against fringe industries—online gaming, online gambling, online porn—located offshore, but we’re seeing more and more of against mainstream companies in the U.S. and Europe.

EDITED TO ADD (7/27): Seems that Witty was definitely not seeded from a bot network.

Posted on July 27, 2006 at 6:35 AMView Comments

Security Certifications

I’ve long been hostile to certifications—I’ve met too many bad security professionals with certifications and know many excellent security professionals without certifications. But, I’ve come to believe that, while certifications aren’t perfect, they’re a decent way for a security professional to learn some of the things he’s going to know, and a potential employer to assess whether a job candidate has the security expertise he’s going to need to know.

What’s changed? Both the job requirements and the certification programs.

Anyone can invent a security system that he himself cannot break. I’ve said this so often that Cory Doctorow has named it “Schneier’s Law”: When someone hands you a security system and says, “I believe this is secure,” the first thing you have to ask is, “Who the hell are you?” Show me what you’ve broken to demonstrate that your assertion of the system’s security means something.

That kind of expertise can’t be found in a certification. It’s a combination of an innate feel for security, extensive knowledge of the academic security literature, extensive experience in existing security systems, and practice. When I’ve hired people to design and evaluate security systems, I’ve paid no attention to certifications. They are meaningless; I need a different set of skills and abilities.

But most organizations don’t need to hire that kind of person. Network security has become standardized; organizations need a practitioner, not a researcher. This is good because there is so much demand for these practitioners that there aren’t enough researchers to go around. Certification programs are good at churning out practitioners.

And over the years, certification programs have gotten better. They really do teach knowledge that security practitioners need. I might not want a graduate designing a security protocol or evaluating a cryptosystem, but certs are fine for any of the handful of network security jobs a large organization needs.

At my company, we encourage our security analysts to take certification courses. We find that it’s the most cost-effective way to give them the skills they need to do ever-more-complex jobs.

Of course, none of this is perfect. I still meet bad security practitioners with certifications, and I still know excellent security professionals without any.

In the end, certifications are like profiling. They work , but they’re sloppy. Just because someone has a particular certification doesn’t mean that he has the security expertise you’re looking for (in other words, there are false positives). And just because someone doesn’t have a security certification doesn’t mean that he doesn’t have the required security expertise (false negatives). But we use them for the same reason we profile: We don’t have the time, patience, or ability to test for what we’re looking for explicitly.

Profiling based on security certifications is the easiest way for an organization to make a good hiring decision, and the easiest way for an organization to train its existing employees. And honestly, that’s usually good enough.

This essay originally appeared as a point-counterpoint with Marcus Ranum in the July 2006 issue of Information Security Magazine. (You have to fill out an annoying survey to read Marcus’s counterpoint, but 1) you can lie, and 2) it’s worth it.)

EDITED TO ADD (7/21): A Guide to Information Security Certifications.

EDITED TO ADD (9/11): Here’s Marcus’s column.

Posted on July 20, 2006 at 7:20 AMView Comments

Economics and Information Security

I’m sitting in a conference room at Cambridge University, trying to simultaneously finish this article for Wired News and pay attention to the presenter onstage.

I’m in this awkward situation because 1) this article is due tomorrow, and 2) I’m attending the fifth Workshop on the Economics of Information Security, or WEIS: to my mind, the most interesting computer security conference of the year.

The idea that economics has anything to do with computer security is relatively new. Ross Anderson and I seem to have stumbled upon the idea independently. He, in his brilliant article from 2001, “Why Information Security Is Hard—An Economic Perspective” (.pdf), and me in various essays and presentations from that same period.

WEIS began a year later at the University of California at Berkeley and has grown ever since. It’s the only workshop where technologists get together with economists and lawyers and try to understand the problems of computer security.

And economics has a lot to teach computer security. We generally think of computer security as a problem of technology, but often systems fail because of misplaced economic incentives: The people who could protect a system are not the ones who suffer the costs of failure.

When you start looking, economic considerations are everywhere in computer security. Hospitals’ medical-records systems provide comprehensive billing-management features for the administrators who specify them, but are not so good at protecting patients’ privacy. Automated teller machines suffered from fraud in countries like the United Kingdom and the Netherlands, where poor regulation left banks without sufficient incentive to secure their systems, and allowed them to pass the cost of fraud along to their customers. And one reason the internet is insecure is that liability for attacks is so diffuse.

In all of these examples, the economic considerations of security are more important than the technical considerations.

More generally, many of the most basic security questions are at least as much economic as technical. Do we spend enough on keeping hackers out of our computer systems? Or do we spend too much? For that matter, do we spend appropriate amounts on police and Army services? And are we spending our security budgets on the right things? In the shadow of 9/11, questions like these have a heightened importance.

Economics can actually explain many of the puzzling realities of internet security. Firewalls are common, e-mail encryption is rare: not because of the relative effectiveness of the technologies, but because of the economic pressures that drive companies to install them. Corporations rarely publicize information about intrusions; that’s because of economic incentives against doing so. And an insecure operating system is the international standard, in part, because its economic effects are largely borne not by the company that builds the operating system, but by the customers that buy it.

Some of the most controversial cyberpolicy issues also sit squarely between information security and economics. For example, the issue of digital rights management: Is copyright law too restrictive—or not restrictive enough—to maximize society’s creative output? And if it needs to be more restrictive, will DRM technologies benefit the music industry or the technology vendors? Is Microsoft’s Trusted Computing initiative a good idea, or just another way for the company to lock its customers into Windows, Media Player and Office? Any attempt to answer these questions becomes rapidly entangled with both information security and economic arguments.

WEIS encourages papers on these and other issues in economics and computer security. We heard papers presented on the economics of digital forensics of cell phones (.pdf)—if you have an uncommon phone, the police probably don’t have the tools to perform forensic analysis—and the effect of stock spam on stock prices: It actually works in the short term. We learned that more-educated wireless network users are not more likely to secure their access points (.pdf), and that the best predictor of wireless security is the default configuration of the router.

Other researchers presented economic models to explain patch management (.pdf), peer-to-peer worms (.pdf), investment in information security technologies (.pdf) and opt-in versus opt-out privacy policies (.pdf). There was a field study that tried to estimate the cost to the U.S. economy for information infrastructure failures (.pdf): less than you might think. And one of the most interesting papers looked at economic barriers to adopting new security protocols (.pdf), specifically DNS Security Extensions.

This is all heady stuff. In the early years, there was a bit of a struggle as the economists and the computer security technologists tried to learn each others’ languages. But now it seems that there’s a lot more synergy, and more collaborations between the two camps.

I’ve long said that the fundamental problems in computer security are no longer about technology; they’re about applying technology. Workshops like WEIS are helping us understand why good security technologies fail and bad ones succeed, and that kind of insight is critical if we’re going to improve security in the information age.

This essay originally appeared on Wired.com.

Posted on June 29, 2006 at 4:31 PMView Comments

Movie-Plot Threat Contest Winner

I can tell you one thing, you guys are really imaginative. The response to my Movie-Plot Threat Contest was more than I could imagine: 892 comments. I printed them all out—195 pages, double sided—and spiral bound them, so I could read them more easily. The cover read: “The Big Book of Terrorist Plots.” I tried not to wave it around too much in airports.

I almost didn’t want to pick a winner, because the real point is the enormous list of them all. And because it’s hard to choose. But after careful deliberation (see selection criteria here), the winning entry is by Tom Grant. Although planes filled with explosives is already cliche, destroying the Grand Coulee Dam is inspired. Here it is:

Mission: Terrorize Americans. Neutralize American economy, make America feel completely vulnerable, and all Americans unsafe.

Scene 1: A rented van drives from Spokane, WA, to a remote setting in Idaho and loads up with shoulder-mounted rocket launchers and a couple of people dressed in fatigues.

Scene 2: Terrorists dressed in “delivery man” garb take over the UPS cargo depot at the Spokane, WA, airport. A van full of explosives is unloaded at the depot.

Scene 3: Terrorists dressed in “delivery man” garb take over the UPS cargo depot at the Kamloops, BC, airport. A van full of explosives is unloaded at the depot.

Scene 4: A van with mercenaries drives through the Idaho forests en route to an unknown destination. Receives cell communiqué that locations Alpha and Bravo are secured.

Scene 5: UPS cargo plane lands in Kamloops and is met at the depot by terrorists who overtake the plane and its crew. Explosives are loaded aboard the aircraft. The same scene plays out in Spokane moments later, and that plane is loaded with explosives. Two pilots board each of the cargo planes and ask for takeoff instructions as night falls across the West.

Scene 6: Two cargo jets go airborne from two separate locations. A van with four terrorists arrives at its destination, parked on an overlook ridge just after nightfall. They use infrared glasses to scope the target. The camera pans down and away from the van, exposing the target. Grand Coulee Dam. The cell phone rings and notification comes to the leader that “Nighthawks alpha and bravo have launched.”

Scene 7: Two radar operators in separate locations note with alarm that UPS cargo jets they have been tracking have dropped off the radar and may have crashed. Aboard each craft the pilots have turned off navigational radios and are flying on “manual” at low altitude. One heading South, one heading North.

Scene 8: Planes are closing in on the “target” and the rocket launcher crew goes to work. With precision they strike lookout and defense positions on the dam, then target the office structures below. As they finish, a cargo jet approaches from the North at high velocity, slamming into the back side of the dam just above the waterline and exploding, shuddering the earth. A large portion of the center-top of the dam is missing. Within seconds a cargo plane coming from the South slams into the front face of the dam, closer to the base, and explodes in a blinding flash, shuddering the earth. In moments, the dam begins to fail, and a final volley from four rocket launchers on the hill above helps break open the face of the dam. The 40-mile-long Lake Roosevelt begins to pour down the Columbia River Valley, uncontrolled. No warning is given to the dams downriver, other than the generation at G.C. is now offline.

Scene 9: Through the night, the surging wall of water roars down the Columbia waterway, overtopping dam after dam and gaining momentum (and huge amounts of water) along the way. The cities of Wenatchee and Kennewick are inundated and largely swept away. A van of renegades retreats to Northern Idaho to hide.

Scene 10: As day breaks in the West, there is no power from Seattle to Los Angeles. The Western power grid has failed. Commerce has ground to a halt west of the Rocky Mountains. Water is sweeping down the Columbia River gorge, threatening to overtop Bonneville dam and wipe out the large metro area of Portland, OR.

Scene 11: Bin Laden releases a video on Al Jazeera that claims victory over the Americans.

Scene 12: Pandemonium, as water sweeps into a panicked Portland, Oregon, washing all away in its path, and surging water well up the Willamette valley.

Scene 13: Washington situation room…little input is coming in from the West. Some military bases have emergency power and sat phones, and are reporting that the devastation of the dam infrastructure is complete. Seven major and five minor dams have been destroyed. Re-powering the West coast will take months, as connections from the Eastern grid will have to be made through the New Mexico Mountains.

Scene 14: Worst U.S. market crash in history. America’s GNP drops from the top of the charts to 20th worldwide. Exports and imports cease on the West coast. Martial law fails to control mass exodus from Seattle, San Francisco, and L.A. as millions flee to the east. Gas shortages and vigilante mentality take their toll on the panicked populace. The West is “wild” once more. The East is overrun with millions seeking homes and employment.

Congratulations, Tom. I’m still trying to figure out what you win.

There’s a more coherent essay about this on Wired.com, but I didn’t reprint it here because it contained too much that I’ve already posted on this blog.

Posted on June 15, 2006 at 2:37 PMView Comments

Aligning Interest with Capability

Have you ever been to a retail store and seen this sign on the register: “Your purchase free if you don’t get a receipt”? You almost certainly didn’t see it in an expensive or high-end store. You saw it in a convenience store, or a fast-food restaurant. Or maybe a liquor store. That sign is a security device, and a clever one at that. And it illustrates a very important rule about security: it works best when you align interests with capability.

If you’re a store owner, one of your security worries is employee theft. Your employees handle cash all day, and dishonest ones will pocket some of it for themselves. The history of the cash register is mostly a history of preventing this kind of theft. Early cash registers were just boxes with a bell attached. The bell rang when an employee opened the box, alerting the store owner—who was presumably elsewhere in the store—that an employee was handling money.

The register tape was an important development in security against employee theft. Every transaction is recorded in write-only media, in such a way that it’s impossible to insert or delete transactions. It’s an audit trail. Using that audit trail, the store owner can count the cash in the drawer, and compare the amount with what the register. Any discrepancies can be docked from the employee’s paycheck.

If you’re a dishonest employee, you have to keep transactions off the register. If someone hands you money for an item and walks out, you can pocket that money without anyone being the wiser. And, in fact, that’s how employees steal cash in retail stores.

What can the store owner do? He can stand there and watch the employee, of course. But that’s not very efficient; the whole point of having employees is so that the store owner can do other things. The customer is standing there anyway, but the customer doesn’t care one way or another about a receipt.

So here’s what the employer does: he hires the customer. By putting up a sign saying “Your purchase free if you don’t get a receipt,” the employer is getting the customer to guard the employee. The customer makes sure the employee gives him a receipt, and employee theft is reduced accordingly.

There is a general rule in security to align interest with capability. The customer has the capability of watching the employee; the sign gives him the interest.

In Beyond Fear I wrote about ATM fraud; you can see the same mechanism at work:

“When ATM cardholders in the US complained about phantom withdrawals from their accounts, the courts generally held that the banks had to prove fraud. Hence, the banks’ agenda was to improve security and keep fraud low, because they paid the costs of any fraud. In the UK, the reverse was true: The courts generally sided with the banks and assumed that any attempts to repudiate withdrawals were cardholder fraud, and the cardholder had to prove otherwise. This caused the banks to have the opposite agenda; they didn’t care about improving security, because they were content to blame the problems on the customers and send them to jail for complaining. The result was that in the US, the banks improved ATM security to forestall additional losses—most of the fraud actually was not the cardholder’s fault—while in the UK, the banks did nothing.”

The banks had the capability to improve security. In the US, they also had the interest. But in the UK, only the customer had the interest. It wasn’t until the UK courts reversed themselves and aligned interest with capability that ATM security improved.

Computer security is no different. For years I have argued in favor of software liabilities. Software vendors are in the best position to improve software security; they have the capability. But, unfortunately, they don’t have much interest. Features, schedule, and profitability are far more important. Software liabilities will change that. They’ll align interest with capability, and they’ll improve software security.

One last story… In Italy, tax fraud used to be a national hobby. (It may still be; I don’t know.) The government was tired of retail stores not reporting sales and paying taxes, so they passed a law regulating the customers. Any customer having just purchased an item and stopped within a certain distance of a retail store, has to produce a receipt or they would be fined. Just as in the “Your purchase free if you don’t get a receipt” story, the law turned the customers into tax inspectors. They demanded receipts from merchants, which in turn forced the merchants to create a paper audit trail for the purchase and pay the required tax.

This was a great idea, but it didn’t work very well. Customers, especially tourists, didn’t like to be stopped by police. People started demanding that the police prove they just purchased the item. Threatening people with fines if they didn’t guard merchants wasn’t as effective an enticement as offering people a reward if they didn’t get a receipt.

Interest must be aligned with capability, but you need to be careful how you generate interest.

This essay originally appeared on Wired.com.

Posted on June 1, 2006 at 6:27 AMView Comments

The Value of Privacy

Last week, revelation of yet another NSA surveillance effort against the American people has rekindled the privacy debate. Those in favor of these programs have trotted out the same rhetorical question we hear every time privacy advocates oppose ID checks, video cameras, massive databases, data mining, and other wholesale surveillance measures: “If you aren’t doing anything wrong, what do you have to hide?”

Some clever answers: “If I’m not doing anything wrong, then you have no cause to watch me.” “Because the government gets to define what’s wrong, and they keep changing the definition.” “Because you might do something wrong with my information.” My problem with quips like these—as right as they are—is that they accept the premise that privacy is about hiding a wrong. It’s not. Privacy is an inherent human right, and a requirement for maintaining the human condition with dignity and respect.

Two proverbs say it best: Quis custodiet custodes ipsos? (“Who watches the watchers?”) and “Absolute power corrupts absolutely.”

Cardinal Richelieu understood the value of surveillance when he famously said, “If one would give me six lines written by the hand of the most honest man, I would find something in them to have him hanged.” Watch someone long enough, and you’ll find something to arrest—or just blackmail—with. Privacy is important because without it, surveillance information will be abused: to peep, to sell to marketers and to spy on political enemies—whoever they happen to be at the time.

Privacy protects us from abuses by those in power, even if we’re doing nothing wrong at the time of surveillance.

We do nothing wrong when we make love or go to the bathroom. We are not deliberately hiding anything when we seek out private places for reflection or conversation. We keep private journals, sing in the privacy of the shower, and write letters to secret lovers and then burn them. Privacy is a basic human need.

A future in which privacy would face constant assault was so alien to the framers of the Constitution that it never occurred to them to call out privacy as an explicit right. Privacy was inherent to the nobility of their being and their cause. Of course being watched in your own home was unreasonable. Watching at all was an act so unseemly as to be inconceivable among gentlemen in their day. You watched convicted criminals, not free citizens. You ruled your own home. It’s intrinsic to the concept of liberty.

For if we are observed in all matters, we are constantly under threat of correction, judgment, criticism, even plagiarism of our own uniqueness. We become children, fettered under watchful eyes, constantly fearful that—either now or in the uncertain future—patterns we leave behind will be brought back to implicate us, by whatever authority has now become focused upon our once-private and innocent acts. We lose our individuality, because everything we do is observable and recordable.

How many of us have paused during conversation in the past four-and-a-half years, suddenly aware that we might be eavesdropped on? Probably it was a phone conversation, although maybe it was an e-mail or instant-message exchange or a conversation in a public place. Maybe the topic was terrorism, or politics, or Islam. We stop suddenly, momentarily afraid that our words might be taken out of context, then we laugh at our paranoia and go on. But our demeanor has changed, and our words are subtly altered.

This is the loss of freedom we face when our privacy is taken from us. This is life in former East Germany, or life in Saddam Hussein’s Iraq. And it’s our future as we allow an ever-intrusive eye into our personal, private lives.

Too many wrongly characterize the debate as “security versus privacy.” The real choice is liberty versus control. Tyranny, whether it arises under threat of foreign physical attack or under constant domestic authoritative scrutiny, is still tyranny. Liberty requires security without intrusion, security plus privacy. Widespread police surveillance is the very definition of a police state. And that’s why we should champion privacy even when we have nothing to hide.

A version of this essay originally appeared on Wired.com.

EDITED TO ADD (5/24): Daniel Solove comments.

Posted on May 19, 2006 at 12:00 PMView Comments

1 40 41 42 43 44 48

Sidebar photo of Bruce Schneier by Joe MacInnis.