ID Theft, meet IRS

elvis.jpgOne of the things that makes building secure products such a challenge is how hard people will work to steal. Clever criminals who come up with new attacks will spread them around. Today’s attacks often seem to center on identity.

“Identity” seems to be hard-wired into our brains (or at least our society) as a way to manage risk. It’s not insensible. After a counter-party makes increasing investment in a relationship, the odds they’ll cheat you drop. If you’ve lived next door to someone your whole life, you make certain expectations, borne of experience, about their behavior. The identity system for managing risk doesn’t scale to today’s speed of communication or travel, but we keep using it, and as we do, fraudsters keep finding new ways to exploit that:

It doesn’t take much to file a tax return. What’s to stop an identity thief from filing one under your name to generate a refund? Nothing. To generate the maximum refund, you can be all kinds of frivolous deductions will be claimed. After all, it will be you that has to attend the audit. (“Identity Theft, Impacting Your Taxes?“)

And here I’d forgotten that there are bureaucracies worse than the credit bureaus.

[Update: Fixed some grammar issues.]

Economics of Vulnerabilities: Markets?

When I drew that picture for Don Marti, he suggested a market in software vulnerabilities. People who had invested in knowledge about a program could then buy or sell in that market. I think that the legal threats and uncertainties are probably sufficiently market-distorting to make such a market hard to operate and hard to take price data from. That might be correctable.

Incidentally, one of the troubles with over-editing is that you miss points that you want to make in a post.

The French Chef Model Of Intellectual Property

beets-and-leeks.jpgFor the week since Brad Feld published it, I’ve been trying to find something to enhance “Norms-based IP and French Chefs:”

Norms-based IP systems are an alternative (or a complement) to legal based IP systems. The Case of French Chefs is a superb example of how this works. If you care a lot about IP protection – especially if you think our current system has issues – this paper is definitely worth reading and pondering.

The picture is of course, “Beets and Leeks,” the preparation in which Thomas Keller introduced butter-poached lobster. Interestingly, that preparation is now widely copied, and Keller has gone on to a version of Beets and Leeks in which the lobster is prepared sous-vide.

The picture is from “Fine dining with Tom, anne and David in Napa, California.”

6th Workshop On Privacy Enhancing Technologies

privacy-enhancing-technology.jpgWe’ve announced the program for the 6th Workshop on Privacy Enhancing Technologies, and space is still available for registrants. The program is so cool that I’m not going to try to summarize it, but rather quote Kim Cameron (“SEE IF YOU CAN MAKE PET 2006“):

Here’s one conference I definitely won’t miss. I’ve been lucky enough to preview some of the papers. I guarantee that if you want to deepen your understanding of privacy enhancing technology, you should see if you can get to Cambridge at the end of June.

We’ve got a keynote from Susan Landau, we’ve got papers on Privacy and the real world, privacy policies, anonymous communication, traffic and location analysis, and private muti-party computation, authentication, and cryptography.

If you plan to go, you should book soon:

Please consider booking your accommodation AS SOON AS POSSIBLE. The PET workshop is taking place at the same time as Cambridge’s “graduation” ceremonies, which means that there will be pressure on space. Even if you are not entirely sure you are coming, there is often no penalty if you book and then cancel later on.

Not-very-effective privacy enhancing technology photo from vago the artist.

President Bush Calls for National ID Card

[Bush] also proposed to cut back on potential fraud by creating an identification card system for foreign workers that would include digitized fingerprints. He said that a tamperproof identification card for workers would “leave employers with no excuse” for violating the law.

Of course, that means the rest of us will need the cards, too, because otherwise the immigrant just says “I’m American.” Such an ID card will lead to more corruption of public officials, more ID theft, and no less immigration. See the national ID category archives, or my talk from BlackHat 2003, “Identity and Economics: Terrorism and Privacy.” (Or PDF or Powerpoint.)

The quote is from “Bush straddles the border, trying middle road on immigration,” Seattle Post-Intelligencer.

The Internet Channel, at Risk

Lack of trust in online banking among U.S. consumers is a serious constraint because of doubts about banks’ security measures, according to eMarketer’s new report, “Online Banking: Remote Channels, Remote Relationships?”

The result is a slowing rate of adoption, with online banking households increasing by only 3.1% in the last quarter of 2005 — the lowest increase in three years. The number of online banking households as a percentage of total online households is pretty stagnant, too. It is expected to grow by just 4 percentage points between 2006 and 2010. (“Consumers Losing Trust in Online Banking.“)

I’ve been saying for a while that the internet channel is at risk, and that banks ought to take drastic action to reverse things before it goes into decline. Remember that security is hard to measure, and consumers use proxies rather than clean measurements of security. So brand trails reality, often by a fair amount. If the idea spreads that online banking isn’t trustworthy, it will take massive investment to reverse.

One final detail from the press release:

Being able to trust a banking site is extremely important to customers, with more than 87% saying in an Ipsos Insight survey that they wanted assurance that the bank would not sell their personal information…

Seems like a market differentiator made in heaven: “__’s privacy promise: We won’t sell, rent, or loan you. You’re a customer, not eyeballs to be monetized.” Where can I sign up?

US reporters under surveillance

Looks like the Bush administration is tracking reporters’ phone calls. Also, the FBI admits that it uses the Patriot Act to obtain journalists’ phone records in an attempt to determine to whom they have been speaking.
Read more here and here, from an ABC News reporter who has received some “attention” from the government.
Photo: Andreas Gronski

Economics of Vulnerabilities

Lately, I’ve been playing with an idea. Work by both Microsoft and certain open source projects has made finding and exploiting vulnerabilities in their code substantially harder. So, the effort needed to find a vulnerability has gone up. The effort needed to build a working exploit has gone up. Thus, the willingness of a vulnerability researcher to publish a vuln for fame is declining, because the investment has increased, and thus ROI has dropped. (This paragraph is largely stolen from paraphrasing Halvar Flake.)

I will get to explaining the picture, but I’m going to take my (and possibly your) sweet time about it.

I’ve been slowly drafting this post for a while, and am motivated to post it now by a set of things that I see as closely related:

  1. Michael Zalewski’s post of a half-baked exploit to bugtraq a few weeks ago. What’s most interesting to me is that Zalewski didn’t finish the POC (Proof Of Concept) into a full-blown exploit. Zalewski is really, really good. His not producing full code is unusual.
  2. There’s a post on MetaSploit by HD Moore, “Exploit Development: GroupWise Messenger Service” that talks about all the work that goes into research.
  3. Jennifer Granick has an article in Wired, “Spot a Bug, Go to Jail.”
  4. Dancho Danchev has a blog post, “Shaping the Market for Security Vulnerabilities Through Exploit Derivatives.” There’s a whole bunch of ways in which I think markets can help us extract useful information, but that are hard to execute on under the threat of lawsuit.
  5. Dave G has a blog post, “Vulnerability Fishing” with metaphors of fishing with spears and with dynamite.

All of these entail some sense of discomfort with aspects of the working agreement around vulnerability research that we call ‘responsible disclosure.’

When I was a young whippersnapper, I could find a vuln in an afternoon, and then spend the next month wrangling over if the vendor was going to fix it. I didn’t start that negotiation impatient to get to the announcement.

It becomes harder for amateurs to play, but enterprises may fund the work, either for marketing value, or to exploit it. We’re raising costs in other ways, as Granick points out in her Wired article.

So as the economic rules change, the availability of vulnerability information may decline in a way which I think is unfortunate. The net return is dropping (based on the added risk), while the investment is skyrocketing.

To the sketch, it’s the start of an effort to think about these sorts of things: Where in the vulnerability discovery process does effort go? Who can control the shapes of those curves? How do their efforts to control them affect other participants?

The initial search line, by the way, is below the origin because time spent looking for bugs has no utility until you find something. (Pace Sardonix.)

Both researchers and product developers have control points. Researchers are developing tools, from static and dynamic analysis tools to frameworks like Metasploit or Canvas which allow for faster development of exploits. Product developers could make different choices about what level of description is involved. There are other, societal control points, such as the threat of lawsuit.

Thinking about it all in the form of linked curves could be helpful all around.

[Update: Bruce Schneier ponited out that he had drawn a remarkably similar curve, based on risk to victims rather than utility to attackers, and published it in Cryptogram in Sept, 2000. He discusses risk, I discuss utility. The ideas are closely related, as the attacker’s utility ties to the defender’s risk. More to come on this.]

That didn’t take long

Verizon is facing a $5 billion lawsuit over its alleged law-breaking. The NYT reports today that this suit may actually involve as much as $50 billion in damage. Previously, a $20 billion suit had been filed regarding the aspects of the NSA program that had become publicly-known in December.
Interestingly enough, when you don’t take into account the downside of engaging in a criminal conspiracy enterprise of questionable legality, it may have ramifications for your shareholders and executives. I wrote about this elsewhere, but it looks like this angle may have increased relevance here at EC.

Two Minutes Hate: Choicepoint


This is: the snooping into your phone bill is just the snout of the pig of a strange, lucrative link-up between the Administration’s Homeland Security spy network and private companies operating beyond the reach of the laws meant to protect us from our government. You can call it the privatization of the FBI — though it is better described as the creation of a private KGB.

The leader in the field of what is called “data mining,” is a company called, “ChoicePoint, Inc,” which has sucked up over a billion dollars in national security contracts.

Read “The Spies Who Shag Us,” by Greg Palast. Don’t miss the bits about who’s the number one supplier of DNA to the FBI.