(For my complete report on the protest, click here.)
I was just threatened by #OccupyWallStreet protesters. They told me that if I didn’t give up my seat, there were going to break this computer I’m typing on.
Friday, September 30, 2011
Wednesday, September 21, 2011
Thinking on the margin (Economics)
By any rational measure, the Internet is secure enough. It's obviously true. The value of the Internet, with the hackers, is far greater than not having the Internet. Credit card companies, despite all the credit card losses, make a net profit on the Internet.
The problem with the security industry, especially so-called "experts", is that they don't know how to measure "enough security". So they fall back to a default position that no matter how much security you have, it's not enough, you need more. Becoming a security expert is insanely easy: just tell people they don't have enough security. Blame security weakenesses on moral weaknesses, such as laziness, greed, corruption, stupidity, and so on.
But while nobody knows how to measure "enough", it turns out that it's easy. The trick is thinking on the edge, on the margin. You calculate it by whether a marginal increase in security is worth the marginal cost.
Take SSL, for example. Is it secure enough? Well, if you ask the question that way, as an absolute, then you've already lost the battle. But if you instead ask about marginal improvements, it starts to look different. For example, let's say that browser vendors were to announce a new policy such that any CA that gives out a bad certificate for major site (Google, Microsoft, etc.) will be permanently removed from the browser. The question is: is the marginal benefits of this policy worth the marginal costs? We can now have a lively debate about this, with each side bringing up benefits/costs that the other side did not consider. But it's a rational way of debating the problem, rather than debating "is SSL secure enough?".
Or take DNSsec. I love it, it should've been done 10 years ago (from one perspective), but on the other hand, I think it's marginal costs exceeds its marginal benefits. It doesn't solve any of the most common attacks that happen today. I suppose the debate is about what happens in the future. Does it end up being a common point of failure (the way CAs are today), or does it enable new innovation in secure technologies for the future? I suspect a little of both.
Consider the TSA. The most common wrong thing said about them is that they, or one of their techniques, don't stop terrorists. For example, people heavily criticize the taking off the shoes. The correct way to analyze this is on the margin. Is the marginal benefit of forcing passengers to take off their shoes worth the marginal cost?
Here is the thing about terrorism: it's oddly elastic. You'd think that a serious suicide bomber would surgically implant a bomb making it 100% undetectable, and thus, all TSA security is meaningless. In fact, few suicide bombers are that rational. Most are stupid, incompetent, or crazy. Most find it too difficult to ignite a shoe or underwear bomb. Nothing the TSA does can stop the next 9/11 attack by competent suicide bombers, but for everything they do, there is probably some incompetent suicide bomber that is stopped by that procedure. So the question isn't whether these procedures work, they do. The question is whether whether every procedure is worth the cost; I would agree with the assessment that most aren't.
The problem with the security industry, especially so-called "experts", is that they don't know how to measure "enough security". So they fall back to a default position that no matter how much security you have, it's not enough, you need more. Becoming a security expert is insanely easy: just tell people they don't have enough security. Blame security weakenesses on moral weaknesses, such as laziness, greed, corruption, stupidity, and so on.
But while nobody knows how to measure "enough", it turns out that it's easy. The trick is thinking on the edge, on the margin. You calculate it by whether a marginal increase in security is worth the marginal cost.
Take SSL, for example. Is it secure enough? Well, if you ask the question that way, as an absolute, then you've already lost the battle. But if you instead ask about marginal improvements, it starts to look different. For example, let's say that browser vendors were to announce a new policy such that any CA that gives out a bad certificate for major site (Google, Microsoft, etc.) will be permanently removed from the browser. The question is: is the marginal benefits of this policy worth the marginal costs? We can now have a lively debate about this, with each side bringing up benefits/costs that the other side did not consider. But it's a rational way of debating the problem, rather than debating "is SSL secure enough?".
Or take DNSsec. I love it, it should've been done 10 years ago (from one perspective), but on the other hand, I think it's marginal costs exceeds its marginal benefits. It doesn't solve any of the most common attacks that happen today. I suppose the debate is about what happens in the future. Does it end up being a common point of failure (the way CAs are today), or does it enable new innovation in secure technologies for the future? I suspect a little of both.
Consider the TSA. The most common wrong thing said about them is that they, or one of their techniques, don't stop terrorists. For example, people heavily criticize the taking off the shoes. The correct way to analyze this is on the margin. Is the marginal benefit of forcing passengers to take off their shoes worth the marginal cost?
Here is the thing about terrorism: it's oddly elastic. You'd think that a serious suicide bomber would surgically implant a bomb making it 100% undetectable, and thus, all TSA security is meaningless. In fact, few suicide bombers are that rational. Most are stupid, incompetent, or crazy. Most find it too difficult to ignite a shoe or underwear bomb. Nothing the TSA does can stop the next 9/11 attack by competent suicide bombers, but for everything they do, there is probably some incompetent suicide bomber that is stopped by that procedure. So the question isn't whether these procedures work, they do. The question is whether whether every procedure is worth the cost; I would agree with the assessment that most aren't.
Tuesday, September 20, 2011
CAPTCHA hell
The better spammers get at solving CAPTCHAs, the harder it becomes for humans to prove that they are, in fact, humans. RECAPTCHA, in particular, has become annoying lately. I often fail the first attempt (or 100% of the attempts if going through TOR, for some reason). Here is a list of CAPTCHAs, see if you can solve them:
That's "pœna", not "poena".
It would be a mistake to think it was "Miftake"
Is it "1300.8", or "1300.8 or "1300.⁸"?
Thursday, September 08, 2011
Finally, a Responsible Disclosure policy
Digital Bond, who researches SCADA/ICS vulns, has published one of the most responsible vulnerability policies: http://www.digitalbond.com/about-us/vulnerability-disclosure-policy/. To summarize, it says:
Over the years, vulnerability researchers (or non-researchers who want researchers to listen to them) have tried to come up with ways to lessen the harm of vuln research while maximizing the good. They've failed. Instead, they've come up with rules that only serve the vendors of vulnerable products, who exploit "responsible disclosure" to spin, cover-up, or delay vuln disclosure. After having the FBI show up at our door threatening us in an attempt to prevent vuln disclosure, we've stopped being nice with vendors.
- We honor client commitments.
- Otherwise, we do the heck what we want with discovered vulns
Over the years, vulnerability researchers (or non-researchers who want researchers to listen to them) have tried to come up with ways to lessen the harm of vuln research while maximizing the good. They've failed. Instead, they've come up with rules that only serve the vendors of vulnerable products, who exploit "responsible disclosure" to spin, cover-up, or delay vuln disclosure. After having the FBI show up at our door threatening us in an attempt to prevent vuln disclosure, we've stopped being nice with vendors.
Subscribe to:
Posts (Atom)
