Emergent Chaos

Spending to Protect Assets

There's a story in the New York Times about a bike rental program in Washington DC. It's targeted at residents, not tourists, and has a subscription-based model.

Improved technology allows programs to better protect bicycles. In Washington, SmartBike subscribers who keep bicycles longer than the three-hour maximum will receive demerits and could eventually lose renting privileges. Bicycles gone for more than 48 hours will be deemed lost, with the last user charged a $200 replacement fee.

That technology comes with a price, which is one reason cities and advertisers started joining forces to offer bike-sharing. The European programs would cost cities about $4,500 per bike if sponsors did not step in, Mr. DeMaio said. "Bicycle-Sharing Program to Be First of Kind in U.S."

$4,500 is 22.5 bikes. Put another way, they could buy 2,500 bikes, rather than the 120 they're buying. That would require a lot more space if you bought them all at once, but you might just buy them as bikes are stolen. Looking at it another way, if you took the $500,000 being spent on technology, and invested it at 5%, you would make $25,000 per year, enough to completely replace the fleet annually.

This is (obviously) an incomplete analysis. But the cost of protection jumped out at me. Maybe it's typical for how people in Washington think about asset protection.

Why Aren't there More Paul Grahams?

Paul Graham has an interesting essay "Why There Aren't More Googles." In it, he talks about how VC are shying away from doing lots of little deals, and how the bold ideas are the ones that are hardest to fund:

And yet it's the bold ideas that generate the biggest returns. Any really good new idea will seem bad to most people; otherwise someone would already be doing it. And yet most VCs are driven by consensus, not just within their firms, but within the VC community. The biggest factor determining how a VC will feel about your startup is how other VCs feel about it. I doubt they realize it, but this algorithm guarantees they'll miss all the very best ideas. The more people who have to like a new idea, the more outliers you lose.

Paul is absolutely right. The more people who have to like a new idea, the more outliers you miss. However, any really good new idea is likely a combination of one really good insight, and several bad ones. It's hard to dis-entangle them until you engage with the market. There's a real question of how expensive that will be. There's also the question of will a really bold new inventor listen enough to make the idea successful?

When I was at Zero-Knowledge, we spent a lot of time exploring ideas which have now come to fruition. Zero-Knowledge, under the name RadialPoint, is thriving. Selling security and privacy to consumers makes sense as part of an ISP package. Making it work, and figuring out what people were ready for, took a while. Some of the bits that they weren't ready for, and perhaps weren't ready for the market include the IP level privacy, a problem that the Tor Project is hard at work on. We also worked hard on 'private credentials, which Credentica launched as U-Prove, and has since been acquired by Microsoft.

We had lots of new ideas at Zero-Knowledge, and a set of happy outcomes (as shareholders know).

But Zero-Knowledge, while bold, wasn't even absolutely new. It was built on the ideas of the cypherpunks, and we even had a Chief Cypherpunk. Similarly, Google wasn't the first of the search engines. It was innovative in how it worked, but it was several years after Yahoo!, AltaVista, and Ask. The bold ideas took a while to become profitable ideas.

So I think that it's absolutely wonderful that we have a creative, chaotic froth of very little companies, and that Paul helps make that happen. I wish there were more. I love seeing what emerges from that chaotic experimentation. But that experimentation can be tremendously expensive, with people chasing many variations of the ideas.

Paul is chasing a variation on how funding happens. He believes passionately in that vision, and is putting his money where his mouth is. Will it work? Who knows? I'm glad there's chaotic experimentation, and if Paul succeeds, I'm sure he'll have many imitators.

Center for Innovative Financial Technology Launches at Berkeley

Congratulations to Berkeley on setting up a "Center for Innovative Financial Technology", but I wonder why their mission is so conservative?

The mission of the Center is to conduct and facilitate innovative research and teaching on how new technologies impact global electronic markets, investment strategies, and the stability of the financial system.

The information people use to make financial decisions is changing. Brokers are disintermediated by electronic market access. Reporter/editor/reader relationships are disintermediated by web access to primary sources. Technology has provided the means to deliver a great deal of financially relevant information. It has lagged in providing the means to make sense of it in a timely manner. This is an important focus of CIFT research.

As Digicash was saying back in 1994, numbers are money now. Studying technology in its impact on information, without paying attention to now the information is money seems like studying how compression algorithms will allow us to deliver music to record stores, to be pressed on demand into fresh vinyl.

The FDIC's Cyber Fraud Report

The FDIC's Division of Supervision and Consumer Protection didn't release a report titled "Cyber Fraud and Financial Crime" on November 9, 2007. That release was left to Brian Krebs, a reporter with the Washington Post, in early March, who blogged about it in "Banks: Losses From Computer Intrusions Up in 2007" and "The FDIC Computer Intrusion Report."

One of the great things about having the full report is that we don't need to rely on Brian to interpret it for us. I love having data, and hate how rare it is for people who work in information security to have anything but summaries.

I found a couple of things interesting. At first they seem un-related:

• The largest category is mortgage fraud, costing roughly $600MM in the 2nd quarter of 2007, and up 15% from Q1.
• The second largest is check fraud. Check fraud is up, according to the FDIC (page 9) because the "Check21" program which sends images (rather than physical checks) is not sensitive enough to show watermarks or alteration detection by chemicals in the paper.

Both are really about risk tradeoffs, and it seems that with the rise in employment as a short term deal, the organizations become more focused on the short-term. [Updated: clarified that sentence a little.]

An example is the "zippy" memo, where JPMorgan Chase employees traded information about how to fool the computer into approving loans. (See "How to Get an "Iffy" loan approved at JPM Chase," or "Chase mortgage memo pushes 'Cheats & Tricks.'" Chase fired at least one person for distributing it.)

The advice included:

1. Lump all of an applicant's compensation as the applicant's base income, rather than breaking out commissions, bonuses and tips.
2. Do not disclose use of gifts for down payments.
3. If all else fails, simply inflate the applicant's income. "Inch it up $500 to see if you can get the findings you want. Do the same for assets.

Now, any security professional worth their salt can come up, post-facto, with fixes for each of these behaviors that prevent or detect them. But the real problem is that the commission isn't paid over the life of the loan, it's paid up front. Of course people are going to find ways to get the loans approved, and not worry about what happens next. Your community banker didn't actually get bonuses over the life of the loan, but did expect to be with the bank when a problem happened.

As long as (as Martin Wolff says) "no industry has a comparable talent for privatising gains and socialising losses," we should expect to be unpleasantly surprised by reading about bank fraud. (A bit more context on the Wolff quote can be found in this excerpt.)

The Principal-Agent Problem in Security

There's a fascinating article in the New York Times, "At Bear Stearns, Meet the New Boss." What makes it fascinating is the human emotion displayed:

“In this room are people who have built this firm and lost a lot, our fortunes,” one Bear executive said to Mr. Dimon with anger in his voice. “What will you do to make us whole?”

The packed room of senior managing directors applauded.

Mr. Dimon responded gingerly. “You’re acting like it’s our fault, and it’s not. If you stay we will make you happy.”

But the Bear employee was not satisfied. “I think it’s galling you come into our house and you call this a ‘merger,’ ” the Bear executive went on.

Now, there's an easy slam on that exec, but I'd like to do better than that. There's a very real desire to not go from the mansion to the poorhouse overnight. Picking arbitrary numbers of shares, on Friday, this fellow might have held 10,000 shares, worth $300,000, representing a large fraction of his savings. Monday morning, it was worth $20,000. He's worried about how he's going to pay for his kid's education or his next vacation. (There's more excellent analysis in Jeffrey Lipshaw's "Exuberant Bulls, Rueful Bears, and Rational Frogs"

People's concerns, first and foremost, are for themselves.

People who work in security are often deeply concerned with security, because it's the thing that makes or breaks their careers. They're focused on the impact of security on them, as well as their business. So sometimes they make choices which aren't perfect for the business, but take their perspectives into account. It's only human.

Nick Owen talks a bit about the motives of security chiefs in "On the short tenure of CISOs and low-frequency, high-impact events." (Damnit, Nick, I should have seen that. Now you're banned from the prom.) ((Which is yet another instance of a principal-agent problem. I'd like to appear smarter and more insightful than Nick, so I have to ensure I don't link to him.))

Economists call this set of issues principal-agent problems, with the classic example being Alice hiring Bob to sell a car that she doesn't have time to sell. How does she know that he's not selling it to a friend? Economists are generally worried about the CEO, but the thinking can and should be applied across a company. How do you ensure people's motives are well aligned with that of the business and it's shareholders?

Nick Szabo has some interesting points about "representation distances" in a political analysis of principal agent problems. I'm surprised that he talks about the distance from one agent to a group. I would think that the interesting questions involve average distances between various groups and agents, and the tensions between them.

Bear Stearns

Dan Geer is fond of saying that financial risk management works because everyone knows who owns what risks.

Reports are that JPMorgan just bought Bear Stearns for $236MM, a 93% discount to Friday's closing price, with $30BB of US taxpayer money thrown in (as guarantees) for good measure. Bloomberg also reports that the Bear Stearns headquaters are valued at $1.2 BB, which means that the firm's net market positions are a liability of about ($31BB).

Apparently, Bear Stearns owned less of the risk than the Fed. I wonder when the Fed knew that? According to the same New York Times story, Bear Stearns has known it all along:

Even up until last week, Alan "Ace" Greenberg, Bear Stearn’s chairman for more than 20 years and a champion bridge player, still regaled its partners over lengthy lunches about gambling with the firm’s money in its wood-paneled dining room.

The firm's money, indeed.

Quantum Progress

What is it about the word "quantum" that sucks the brains out of otherwise reasonable people? There has to be some sort of Heisenberg-Schödinger Credulity Principle that makes all the ideons in their brains go spin-up at the same time, and I'm quite sure that the Many Worlds Interpretation of it has the most merit. (In case you're a QM n00b, the ideon is the quantum unit of belief.) Fortunately, there seems to be some sanity coming to reporting about quantum computing.

Just about every quantum computing article has a part in it that notes that there are quantum algorithms to break public crypto. The articles breathlessly explain that this means that SSL will be broken and the entire financial world will be in ruins, followed by the collapse of civilization as we know it. Otherwise sensible people focus on this because there's very little to sink your teeth into in quantum computing otherwise. Even certified experts know that they don't know what they don't know.

Scott Aaronson has a good article in Scientific American called "The Limits of Quantum Computers" (only the preview is free, sorry) that gives a good description of what quantum computers can't do. I'm pleased to see this. SciAm has been a HSCP-induced quantum cheerleader over the last few years.

I have been doing some research on the claims of quantum computing. I decided to pick the specific factoring ability of quantum computers, and produce some actual numbers about how we might expect quantum computing to develop. In other words, I'm going to be a party pooper.

The crypto-obviating algorithms in question are Shor's algorithm for factoring and an algorithm he developed for discrete logs. I was surprised to learn that Shor's algorithm requires 72k³ quantum gates to be able to factor a number k bits long. Cubed is a somewhat high power. So I decided to look at a 4096-bit RSA key, which is the largest that most current software supports — the crypto experts all say that if you want something stronger, you should shift to elliptic curve, and the US government is pushing this, too, with their "Suite B" algorithms.

To factor a 4096-bit number, you need 72*4096³ or 4,947,802,324,992 quantum gates. Lets just round that up to an even 5 trillion. Five trillion is a big number. We're only now getting to the point that we can put about that many normal bits on a disk drive. The first thing this tells me is that we aren't going to wake up one day and find out that someone's put that many q-gates on something you can buy from Fry's from a white-box Taiwanese special.

A complication in my calculations is the relationship between quantum gates and quantum bits. For small numbers of qubits, you get about 200 qugates per qubit. But qubits are rum beasts. There are several major technologies that people are trying to tease qubits out of. There's the adiabatic techlogies that D-Wave is trying. There are photon dots, and who knows how many semiconductor-based methods.

It isn't clear that any of these have any legs. Read Scott Aaronson's harumphing at D-Wave, more pointed yet sympathetic faint praise and these educated doubts on photonics. Interestingly, Aaronson says that adiabatic quantum computers like D-Wave need k¹¹ gates rather than k³ gates, which pretty much knocks them out of viability at all, if that's so.

But let's just assume that they all work as advertised, today. My next observation is that probably looking at billions of q-bits to be able to get trillions of q-gates. My questions to people who know about the relationship between quantum gates and quantum bits yielded that the real experts don't have a good answer, but that 200:1 ratio is more likely to go down than up. Intel's two-billion transistor "Tukwila" chip comes out this year. Five trillion is a big number. We are as likely to need 25 billion qbits to factor that number as any other good guess. Wow.

The factoring that has been done on today's quantum computers is of a four-bit number, 15. If you pay attention to quantum computing articles, you'll note they always factor 15. There's a reason for this. It's of the form (2ⁿ-1) * ( 2ⁿ+1). In binary, 2ⁿ-1 is a string of all 1 bits. A number that is 2ⁿ+1 is a 1 bit followed by a string of 0s, and then a 1 again. These numbers are a special form that is easy to factor, and in the real world not going to occur in a public key.

This is not a criticism, it's an observation. You have to walk before you can run, and you have to factor special forms before you can factor the general case. Having observed that, we'll just ignore it and assume we can factor any four-bit number today.

Let's presume that quantum computers advance in some exponential curve that resembles Moore's Law. That is to say that there is going to be a doubling of quantum gates periodically, and we'll call that period a "generation." Moore's specific observation about transistors had a generation every eighteen months.

The difference between factoring four bits and factoring 4096 bits is 30 generations. In other words, 72*4³ * 2³⁰ = 72*4096³. If we look at a generation of eighteen months, then quantum computers will be able to factor a 4096-bit number in 45 years, or on the Ides of March, 2053.

This means to me that my copy of PGP is still going to be safe to use for a while yet. Maybe I oughta get rid of the key I've been using for the last few years, but I knew that. I'm not stupid, merely lazy.

I went over to a site that will tell you how long a key you need to use, http://www.keylength.com/. Keylength.com uses estimates made by serious cryptographers for the life of keys. They make some reasonable assumptions and perhaps one slightly-unreasonable assumption: that Moore's Law will continue indefinitely. If we check there for how long a 4096-bit key will be good for, the conservative estimate is (drum roll, please) — the year 2060.

I'm still struck by how close those dates are. It suggests to me that if quantum computers continue at a rate that semiconductors do, they'll do little more than continue the pace of technological advancement we've seen for the past handful of decades. That's no mean feat — in 2053, I doubt we're going to see Intel trumpeting its 45 picometer process (which is what we should see after 30 generations).

I spoke to one of my cryptographer friends and outlined this argument to him. He said that he thinks that the pace of advancement will pick up and be faster than a generation every eighteen months. Sure. I understand that, myself. The pace of advancement in storage has been a generation every year, and in flash memory it's closer to every nine months. It's perfectly conceivable that quantum computing will see horrible progress for the next decade and then whoosh off with a generation ever six months. That would compress my 45 years into 25, which is a huge improvement but still no reason to go begging ECRYPT for more conferences.

On the other hand, it's just as conceivable that quantum computing will end up on the Island of Misfit Technologies, along with flying cars, personal jetpacks, Moon colonies, artificial intelligence, and identity management.

But I also talked to a bigwig in Quantum Information Theory (that's quantum computing and more) and gave him a sketch of my argument. I heard him speak about Quantum Information and he gave the usual Oooooo Scary Quantum Computers Are Going to Factor Numbers Which Will Cause The Collapse of All Financial Markets And Then We Will All DIEEEEE — So That's Why We Need More Research Money boosterism.

He wouldn't let me attribute anything to him, which I understand completely. We live in a world in which partisanship is necessary and if he were seen putting down the pompoms, he'd be fired. Telling middle-aged technocrats that the math says their grandkids are going to see quantum computers shortly before they retire will cause the research money dry up, and if that happens then — well, the world won't end. And then where would we be?

Nonetheless, he said to me sotto voce, "There's nothing wrong with your math."

Photo is a detail from "Shop Full" by garryw16.

Credit Ratings for Governments?

Last week, I talked about consumer credit in "The real problem in ID theft."

Yesterday, the New York Times had a story, "States and Cities Start Rebelling on Bond Ratings:"

A complex system of credit ratings and insurance policies that Wall Street uses to set prices for municipal bonds makes borrowing needlessly expensive for many localities, some officials say. States and cities have begun to fight back, saying they can no longer afford the status quo given the slackening economy and recent market turmoil.

...
At every rating, municipal bonds default less often than similarly rated corporate bonds, according to Moody’s... Colleen Woodell, chief quality officer for public finance, acknowledged that municipal debt had defaulted at lower rates than corporate issues, but she noted that the data covered a relatively benign 20-year period...Ms. Woodell said the disparity was “within a tolerable band” and would diminish over time.

Tolerable to whom, Ms. Woodell?

The article goes on to explain that the financiers are taking enormous sums of money from taxpayers on what is really very safe debt.

Since most government bonds are repaid, there would be a very large chunk of identically rated bonds.

If you rate 95 percent of the issues the same, the ratings cease to be useful, and investors need and utilize these ratings to differentiate credits,” said John Miller, chief investment officer at Nuveen Asset Management in Chicago, which manages about $65 billion in mostly tax-exempt bonds.

Really? If the bonds are safe, and 95% of them would get a AAA rating, maybe we could save a lot of money by removing a low-value information source.

It makes sense to look at the organizations who control credit data, and ask the age-old question: who benefits? These organizations aren't in it for their health.

A++++ Fast and Professional!! Would Read Again!

In "Crowd control at eBay," Nick Carr writes:

EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to its feedback system, setting up more "non-public" communication channels and, most dramatically, curtailing the ability of sellers to leave negative feedback on buyers. It turns out that feedback ratings were being used as weapons to deter buyers from leaving negative feedback about sellers.

He goes on to rail against the usefulness of feedback loopss:

As these sites grow, keeping them in line requires more rules and regulations, greater exercise of central control. The digital world, it seems, is not so different from the real world.

However, he doesn't question EBay's central decision. If the goal is to control retaliatory feedback, then require all feedback be given within N days (N might vary for transaction types, international shipping, etc), and don't reveal the feedback until both buyer and seller have finalized what they want to say.

(Personally, I think that some structure in the feedback--was the item as described? was it shipped quickly and as requested? was the interaction business-like, chatty, or rude? could enhance things a lot, as would displaying the value of the transactions. But that's an aside.)

What's important is that EBay is replacing a transparent and manipulated system with one that's going to be worse for their customers, and more expensive to operate. It will be interesting to see what emerges from this. Will a worse feedback system be enough to overcome the network effects and allow a strong competitor to emerge?

Thanks to Nicko van Someren for the pointer.

Parking Meters are Reverse Slot Machines

Raymond Chen has an amusing blog post, "When computer programmers dabble in economics: Paying parking tickets." This is further dabbling in economics, and I hope you find it amusing.

I believe that parking meters--the old fashioned kind where you put coins in and hope to not get a ticket--are precisely the opposite of slot machines. With a slot machine, you put money in, and you hope, money comes out. I like not putting money in parking meters, and hoping none comes out of my pocket.

Photo: "Downtown Phillipsburg, NJ," by Peachhead.

Working on the Traveling Band

If you travel a lot, you're used to dealing with many network difficulties. For a while now, I've been traveling with an Airport Express, which has made life a lot easier. I set it up to use DHCP, plug it into the hotel Ethernet, and go. At the very least, it means I can work from the bed, rather than from a desk that is inevitably at the wrong height.

Even more so, I now travel with at least three devices that have WiFi -- my laptop, my phone, and my iPod. I travel about half the time with my SO, who also has a laptop and an iPod with a network. I said "at least" because I also have a Nokia slate, which is a specialized device (I lug it along when I don't want to lug a laptop, for example).

Also, for some reason the better the hotel you stay in, the more they charge you for Internet access. Sleep in a cheap hotel, and the network is free. Stay in an expensive one, and they charge you $10 to $15 a night. Stay in the UK, and you can face £18 a day for your net.

This is changing. Ramada and Radisson, are doing a lot of free Internet. Fairmont gives free Internet to their President's Club members (no better reason to join, for me). However, this still means that you have to figure out how to share your one obscenely expensive net connection with the coalition of devices in your room.

However, another way that this is changing is that there's more and more wireless going into hotel rooms, and less wired. For us, wired is good, because you just plug a basestation into the net and you go. But with wireless, you need a basestation that listens on a wireless connection while re-broadcasting another.

For quite some time, I've been complaining that the appropriate router doesn't exist. A few weeks ago, however, a friend told me about the D-Link DWL-G730AP, which purports to do what I want. I also found on my own research the Linksys WTR54-GS. They appear on the surface to be mostly equivalent. The Linksys comes in a compact package that has an AC plug bundled into the unit. The D-Link has a separate transformer, but can also be powered from USB. I ended up getting the Linksys. The deciding factor was that both units have manuals on the web, and the D-Link manual is a high-level installation guide that describes several possible configurations, but the one I want is missing. The Linksys has a detailed manual that tells how to set it up from its internal web server, do MAC address spoofing, port mapping and redirection, and so on. A manual that told how to set up what I want was the clincher. I bought it right before a trip to the UK, and wanted to avoid buying wireless access. There are a couple of annoying things about the Linksys. It cannot be a client onto a secured network, which meant that I didn't set it up before I left. I would have taken time I didn't have to pull the "security" off of my my G network to experiment. (It's just WEP, hence the quotes around "security." I consider it a no-tresspassing sign.) Once in a hotel, I have not yet figured out how to put a password on the network it broadcasts. Each of my attempts resulted in having to hard-reset the device. It has a nice, convenient hard-reset button. On the other hand, I've been busy and in various stages of sleep-deprived brain damage, so I don't know that it's their fault that I haven't figured it out. I settled for hiding the SSID. I don't actually care if someone mooches on my hotel wireless, if they leave enough bandwidth for me. If the D-Link will work as a wireless-to-wireless router, it has an advantage over the Linksys in being USB-powered. That means you can easily plug it in to your laptop while using paid wireless, and rebroadcast for your phone or iPod or SO. I just don't know that you can. If someone has a definitive answer, place a comment below. If you're from D-Link and reading this, make a note that you lost a sale solely because your manual confused me.

Thoughts on "Internet Miscreants"

I've been thinking about Franklin, Perrig, Paxson, and Savage's "An Inquiry into the Nature and Causes of the Wealth of Internet Miscreants" for about three weeks now.

This is a very good paper. For the infosec empiricist, the dataset itself is noteworthy. It consists of 13 million public IRC messages (that is, in-channel stuff, not PRIVMSGs) obtained from several networks and channels, collected over a 7 month period. These messages contain sensitive information (such as PII) and offers to sell various illicit goods. The authors provide no information concerning the process by which the IRC networks and channels were selected for monitoring, a matter which may be relevant for those seeking to replicate their findings. For the CS crowd, they use a nifty machine-learning technique to identify and categorize messages which are advertisements.

The authors are able to present a number of fascinating descriptive statistics about the market they study, including the number and activity level of market participants, price history, measures of flow of goods into the market, statistics on which goods are offered for sale most often, etc.

This paper has gotten some attention in the trade press because it discusses methods which could potentially be used to disrupt this IRC-based underground economy. In a nutshell, the key is to make it impossible to tell good sellers from bad, thereby deliberately creating a market for lemons and driving out customers.

Ultimately, there are way more questions than answers. This has nothing to do with the paper, which is excellent. It has to do with disciplinary maturity, which we in information security lack, and with quality data, which we lack even more.

But dwelling on the positive for a moment, it is interesting to consider what we might be able to investigate using a dataset like this. At a macro level, we might be able to observe the price reaction given a sudden increase in supply. For example, if we have independent confirmation that at a particular time 100 million credit card numbers became available for sale, it would be interesting to see if this was followed by a drop in the asking price, and if so, how large a drop.

Even more interesting: if we already have an idea about the elasticity of price with respect to supply, we can estimate the size of the market based on observed price movements given a supply shock of known size. If, similarly, we observe an unexplained drop in price, we may presume that an unreported supply shock has taken place. This is an indirect estimator of the amount of the personal information iceberg existing below the waterline. Cool!

There's also a certain practical value. Consider the recent UK data breach. Already, there are reports that personal information from this incident are appearing on the underground market. Franklin, et. al. have provided us with an estimate of how much traffic in UK PII existed prior to this breach. The same surveillance techniques which informed their analysis are undoubtedly still under way today. Perhaps three, six, or twelve months from now a second analysis will show a dramatic increase in the amount of UK PII flowing through the market. The policy ramifications of knowing how great the lag is between PII being pilfered and its appearance on the market are significant. What use is a twelve month credit freeze, for example, if the lag is 24 months?

A final question that data like this can help answer concerns the relationship between breaches and identity theft. Since British banks reportedly are balking at monitoring all the accounts involved for fraud, this opportunity may be squandered. I commented on the important role banks could play back in June:

One way to estimate the extent to which having your PII exposed in a breach increases the probability of your becoming an identity theft victim is to watch for the exposed data elements using a fraud detection network
[...]
Other than using banks as a focal point and having them report on fraud using these stolen elements, I cannot think of another way.
[...]
I suppose one could try to determine whether the stolen elements were in the inventory of any black-market sellers, but I do not see how one can gain access to their inventory information. It's clear that the illicit trade in this stuff is non-trivial, but I honestly do not know that we have anything approaching a comprehensive picture of the landscape.

(emphasis added)

I now see that I was overly pessimistic in my last two sentences, and I am thankful for that.

Let me close with a quotation about price data which reflects my current mood:

Certainly they tell us a great deal, some but not all of which is reflected in policy debates.

At the same time much remains unknown. Given the number of instances in which deductive
arguments have been promulgated with great confidence only to be refuted by empirical
evidence, it seems wise to be somewhat cautious in drawing conclusions that go beyond the
scope of the data.

Although some of what is not known is probably unknowable--at least in the medium term--there
are considerable opportunities for expanding the range of questions that have been addressed
empirically. Price data are much more accessible than data pertaining to prevalence or quantity.

A relatively modest investment of resources could substantially increase both the quantity and the quality of the price data available for analysis.

This observation is from "What price data tell us about drug markets", a 1998 paper. I fervently hope its applicability to the information security world is demonstrated by a stream of papers stimulated by Franklin, et. al.

The costs of liability

It's become common for people thinking about security economics to call for liability around security failures. The idea is that software creators who who ship insecure products could be held liable, because they're well positioned to address the problems.

I don't think this is a trouble-free idea. There are lots of complexities. As one example, are open source vendors going to be liable? Fyodor, who writes and gives away nmap? RedHat.com? What about Apple, when they include a package, say bind or bzip, both of which were included in their latest security update. Including such third party software allows Apple to provide basic functionality at lower cost.

Now, the UK Information Commissioner has proposed that doctors who lose laptops with patient data could be subject to a £5,000 fine.

Mr Thomas said: “If a doctor, or hospital [employee] leaves a laptop containing patients’ records in his car and it is stolen, it is hard to see that is anything but gross negligence.”

The commission can currently issue enforcement notices but these “do not impose any element of punishment for wrongdoing”. But Lord Lyell of Markyate, a former Attorney-General, said it would be disproportionate to criminalise doctors for losing a laptop.

Mr Thomas said the intention was not to prosecute for a single incident, but that for gross negligence there was “a need to have some deterrent in place”. He said anyone holding personal data should know the basics of “encryption” to protect that material. ("Doctors may be prosecuted if their laptops are stolen," Times Online, UK)

I'm with Lord Lyell here, and think that there's a great deal of specific thinking to be done before we should impose more liability for software flaws. Software creators, including Mozilla, know that it's hard to make bug-free software, so my employer probably thinks similar things.

Possibly related, "Government ignores Personal Medical Security."

Via PogoWasRight.

Links of the day

http://plato.stanford.edu/entries/economics/
http://faculty.fuqua.duke.edu/~rnau/choice/whoswho.htm

(Also useful as a reading list for a possible upcoming cage match between Hutton and Bejtlich ;^))

Security Advantage? I Don't Buy It.

As quoted in Ken Belva's blog, Larry Gordon writes:

However, the above is not the end of the information security story from an economics perspective. If an organization can distinguish itself as having much better information security than its competitors, then that organization may well derive a “competitive advantage” (at least in short-run, until competing firms catch-up in terms of security) that results in increased demand for the organization’s physical product(s) and/or service(s).

While I'm sympathetic to the claim, let's ask how an organization "can distinguish itself as having better information security than its competitors." (In this post, I'm explicitly not speaking for or about my employer, who I think is doing a great job investing in security, eg, by paying me.)

How can a potential customer make a decision about security? As a consumer, I might look to funny television advertising, or other forms of marketing. But marketing isn't a good signal: it's equally easy for a firm to invest in marketing their security effort if they do little, or nothing as it is to market if they invest in a security development lifecycle. As an enterprise, I might consider spending a little money on a critical analysis of the software under consideration, but that's expensive, and I might cynically believe that the results will all be on the order of "this stinks!"

Even if I could analyze security, security is likely only one of several factors that contribute to my buying choices. It's not clear that it's a great source of competitive advantage. For example, in their early days, ebay and paypal invested in things other than security, and did spectacularly well on that decision.

See Ken Belva, "Dr. Gordon: Information Security can have a positive return."

Lastly, I'll mention series here in 2004 on the value of signaling as a means to address information asymmetry in "Security Signaling," "Signalling by Counting Low Hanging Fruit," and "Ratty Signals." There's some great comments.