Jon's Radio : Jon Udell's Radio Blog


Note: Jon's Radio has moved to InfoWorld


Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog.


Notes from Schneier's ETCON talk

Everything we do in the face-to-face world requires security in some way. The limits of security become the limits of the Internet. If we can't do it securely, we're not going to do it. Attacks make it harder to engage in business and social interactions.

The value so high that we rush to do things even though we can't do them securely.

On technology side, computer security failing by any measure. As a general rule, computer security products -- as deployed -- don't work.

You'd think by now we'd solve buffer overflows, a problem discovered in the 1950s. Even though there are automatic tools to find/fix. The hard stuff is hard, but even the easy stuff is hard.

We have no solution to the insider problem.

Why? These results are surprising. In every other aspect of computing, things get better over time. We throw technology at it, and it improves. Security is different. The reason is complexity.

We're not willing to sacrifice features for security.

There's a strong monoculture, so you see epidemics. Having two or three operating systems won't do it. You need thousands of different things, and we can't solve that problem.

Data and code are intermingled. Attacks formerly impossible are now easy.

SOAP is a fire-wall-friendly protocol like a bullet is skull-friendly.

Always-on connections less secure than dial-up. IP everywhere: phones, Blackberrys.

Nonlinear and tightly coupled systems have catastropic failure modes. Securing this, I believe, is impossible.

Old attacks never go away, new ones arise. News reports never paint this picture, they focus on what's new. In 1995 you could make news breaking into a website, now it happens 1500 times a day.

We need to focus on businesses, motivations, and costs. Figure out why we're accepting bad security, and decide whether/how to fix it.

When I wrote Applied Crypto, I had a military model. Black and white. Avoid the threat, or not. Businesses don't think that way. Failure is an option. You can fail to manage risk properly, you just pay for it. Once you start to think of computer security in this way, you have more options. Shoplifting is called "shrinkage" -- life's like that, the cheapest way to manage the risk is to eat it. Doesn't solve the problem, mitigates the risk. You can mitigate with procedures. In a jewelry store, you'll be watched by a sales person. Or you can transfer the risk. The jewelry store will have theft insurance. Take the risk, put a box around it, give it to somebody else. In reality, you'll have a mix of these strategies, and that mix depends on the unique character of your business.

Why do people have firewalls? Because there was a consensus, a groundswell, you'd ge pinged if you didn't, so it made no business sense. The converse for email.

How to change this? Security has to affect the bottom line, and then the CEO will care. Why do companies comply with environmental laws? They have to.

Unless legal/regulatory pressure weighs in, no change.

Step 1. Enforcing liabilities.

Step 2. Allow parties to transfer liabilities.

Step 3. Provide mechanisms to reduce risk.

Step 4. Rational prosecution leads to deterrence.

In five years, insurance companies will drive computer security. For a CEO, insurance is the primary risk management tool, and that's what they'll use. And they'll be required to do it. There are fire extinguishers here in the Westin Hotel because they have to, not because they want to.

Press releases from security vendors will not change the actuarial model. Only security that works will do that.

Suddenly a company choosing operating system gets handed two insurance policies -- here's what it costs if you use Linux, here's the policy for Microsoft. The math gets much more interesting now. Security will improve, it will have to.

PKI wants to give you a virtual badge because we can't give you a physical one. Firewalls want to build virtual walls where real ones can't be built. But the fortress metaphor fails in our interconnected world. Trust is a very complex things. There ar fluid boundaries. A hospital is not good guys inside and bad guys inside. You've got doctors, patients. I can't conceive of a firewall that works for that case. The best model is cities. Computer security no different from real-world security.

Until now, computer security sold as a prophylactic. In the real world we do not prevent crime, we detect and respond. Through the response there is a deterrence backchannel. We don't all wear body armor and live in fortresses. We have security processes.

Standardization quantizes risk profiles. Hard to make security insurance scale otherwise. So outsourcing gets the scale, and it's what the insurance industry will want. In a world of liabilities, what becomes important is best practices.

Pushback to outsourcing: it's too high risk. And yet...we outsource our health to fast-food companies. They've combined technology and processes that turn teenagers who can't keep their room clean, believe washing their hands is a waste of time, and work for minimum wage, into a workable solution for food delivery.

Prosecution: we need to do it. Detection/response work after the fact. We're safe in this room because we live in a lawful society. We're not really there on the Net yet. Not easy. Our entire criminal justice system is based on physical proximity. On the Net, action-at-a-distance and anonymity change the rules. It's hard to backtrack attacks. Hard to separate the attacker and the attacker's computer.

We'll start to see jurisdiction shopping. You'll pick the country from which to launch your attacks. Safer to do it from Russia than the US. Internet a lawless society still. I see this in companies not wanting to talk about their attacks. The reason: they're afraid of 1) retribution, and 2) they're afraid of the public perception. Reminds me of warlord societies. In that kind of society, you do not make waves,  you hide and hope he goes and attacks somebody else. The Internet feels that way.

We've been a civilization 4000 years. When will we eliminate murder? We won't. We have a good intuitive feel of where to walk in a city. A store that opens its doors to the shopping public also opens its doors to criminals. Same on the Net. If you're connected, you're open to everyone. We live with risk, we manage it.


Audience) This is the death of the small software developer.

Schneier) Agree it's a problem. Don't see an alternative.

A) You've said we'll have monoculture no matter what. This creates potential for catastrophic failure. The insurance industry does not want to, and cannot, insure against catastrophe.

S) OK, some things are uninsurable. They won't get done. Maybe good, maybe bad, but inevitable.

A) What if reduced security is how we manage risk? What if these disasters we see don't really matter?

S) It's true. Computer security today does not matter. And given the environment, it shouldn't. Companies don't spend on security is not reasonable. If we believe more security is better, we need to change the equation, just like we did with environmental protection.

A) What about DRM?

S) I've been through the crypto wars. We went up against the NSA and won. But Disney is a much more determined and well-funded adversary. They will fight for their business, with their whole business. They don't want you to own a general-purpose computer. In five years it may be impossible to run free software. This is a big deal. Sorry to be such a downer...

© Copyright 2002 Jon Udell.
Last update: 8/6/2002; 12:46:19 AM.

Click here to visit the Radio UserLand website.