The rise and fall of perfect security

Modern societies, however resilient, are built on remarkably shaky foundations: every single day, we all depend on the moral standards and the restraint of thousands of random strangers. The rules of this game are weakly enforced through series of very imperfect deterrence mechanisms (less than 20% of all property crime is ever solved in the United States) - but in the end, our world is little more than an incredibly elaborate honor system that we all voluntarily participate in.

That's probably okay - we are programmed to play along, and this approach proved to be a smart evolutionary move. A degree of trust is essential to advancing our civilization at a reasonable pace; and paradoxically, despite the apparent weaknessess, the accelerated rate of progress makes us stronger and more adaptable as a species in the long run.

When it comes to the online existence, our attitudes seem drastically different, though: we only joke about the idea of using the evil bit - and yet, we are perfectly comfortable that the locks on our doors can be opened with a safety pin. We scorn web developers who can't seem to be able to get input validation right - even though we certainly don't test our morning coffee for laxatives or LSD. We are being irrational - but why?

Perhaps the reason is simple: the mankind had thousands of years to work out the rules for social interactions in the real world; societies collapsed, new ones emerged - with an increasingly complex system of moral values passed from one generation to another. The Internet is much younger in comparison, and in the end, very different from what we are accustomed to: your neighbor will not try to sneak into your house, but may have far fewer qualms about using your wireless network - a concept that feels much less like a crime. He will not condone theft - but likely feels ambivalent about making unlawful copies of digital content. He may frown upon crude graffiti - but just chuckle at the sight of exploited persistent XSS on a popular website.

An argument can be made that the incentives in online interactions are so different from these in the physical realm, that any such comparisons are simply inappropriate. But then, consider Wikipedia - a design that stands against everything we know about information security, yet demonstrates remarkable resilience in the face of attacks.

Here's a perverse thought, then: what if our pursuit of perfection in information security stems from a fundamental misunderstanding of how human communities can emerge and flourish? We are essentially preaching a model of a society based on complete distrust - but as the complexity of the online world approaches that of real life, the odds of being able to design perfectly secure software are rapidly diminishing; and the impact of being so paranoid is already taking its toll on how much we can achieve today.

If this model is not sustainable, will our online world share the fate of many other early civilizations - collapsing under the weight of its own imperfections, and ultimately, going the way of the dinosaur?

Perhaps; if so - new, more enlightened communities will certainly emerge.

Read More

Barbers and security professionals

There seems to be a significant, government-sponsored push for compulsory certification and licensing in the security industry. The wonderfully self-contradictory report from the Commission on Cybersecurity aside, Larry Seltzer pointed out that this very idea is also a major part of the proposed Cybersecurity Act of 2009:

"Beginning 3 years after the date of enactment of this Act, it shall be unlawful for any individual to engage in business in the United States, or to be employed in the United States, as a provider of cybersecurity services to any [...] information system or network designated by the President, or the President’s designee, as a critical infrastructure information system or network, who is not licensed and certified under the program."

I agree that there are persuasive arguments to be made in favor of taking this step - but it is very important to recognize that the same arguments can easily be made in favor of mandatory licensing for almost any contemporary profession. Quite simply: in modern societies, people serving even the most mundane roles can and occasionally do cause profound losses or significant distress to others. C'est la vie.

There is a small subset of professions where the stakes are particularly high - for example, building engineers; and several classes of occupations endowed with unique social privileges or an unusual degree of trust - say, doctors, lawyers, or teachers. In all these cases, licensing probably makes sense - although quite literally, it comes at a very significant price.

In most other occupations, however, the situation is far less obvious - and the current regulatory practice is rather arbitrary. We usually license barbers and hot-dog vendors - but not bakers, farmers, or pacemaker assembly line workers. Electricians and plumbers are licensed - but construction workers do not need to demonstrate even basic competency to any external body. Louisiana has a tough test and mandatory licensing for florists. Many of these distinctions are driven by specific interest groups, some are fueled by moral panics; but they do not seem to form a coherent, cost-efficient plan to make our society a safer place.

The extra cost of licensing aside, the most significant pitfall of overzealous regulation is that in attempts to preemptively police complex industries or individual human behaviors, governments are necessarily clumsy and heavy-handed - and often fail to consider many of the socially valuable corner cases. Here's a couple of my favorite (if only vaguely related) non-IT anecdotes:

• To combat the proliferation of basement meth labs, Texas requires a license and a home inspection to buy a beaker. While this is unlikely to have any impact on real criminal activity, teaching your children chemistry suddenly gets a lot more complicated.

  
  
  

• In an attempt to curtail drug use, eleven US states require you to have a prescription to buy syringes. This has a significant impact on many types of precision hobbies, where syringes are indispensable as a measuring tool; and probably only promotes syringe reuse among drug addicts.

  
  
  

• Following reports of people pointing lasers at aircrafts, Australia and some other jurisdictions ban sale or import of lasers with output over 1 mW. This rule also covers more powerful but completely eye-safe lasers with integral pattern-generating optics - commonly used in machine vision and hobbyist robotics; the impact on these applications is profound.

  
  
  

In the end, it is a natural human instinct to try and minimize many of the perceived risks we are subjected to - but it's also important to seek sensible balance between this goal, and the task of maintaining our civil liberties, or enabling scientific progress. We can make our lives resemble one giant TSA checkpoint - but it's not a cheering prospect to contemplate.

So, yup: it is clear that bad software engineering may lead to real damage, and that the current situation is far from being perfect. There is also a potential for damage in getting a bad haircut, or being served a mystery hot-dog. In the end, however, I believe that in absence of truly exceptional circumstances and profound social benefits, we should be giving people the right to choose - and leave it to the industry to come up with the sort of meaningful professional certifications that it actually needs (if it needs any). Rudimentary liability for negligent engineering may be a far better method of improving status quo, by creating incentives to care about security - rather than having a certification system to hide behind.

Some of the urgency around this topic is fueled today by the end-times rhetoric about cyber-terrorism, cyber-warfare, and the imminent cyber-apocalypse - and the apparent shortage of qualified personnel to step up and save the day; but for most part, I do think this idea is very misguided. The landscape of information security, and the economics of vulnerability exploitation, have not fundamentally changed in the past 6-8 years or so - spare for a body of vivid anecdotes, and a couple of interesting but not surprising incidents; we also enjoyed a steady growth of a competent workforce, and a very self-limiting problem of charlatans. It is still the bored teenagers and the crazy geeks, and not the XSS-obsessed arm of Al Qaeda, that are the most significant threat to our infrastructure. True, government agencies are finding it unexpectedly difficult to hire the right talent, but some of the reasons for this may lie with the organizational challenges these entities are facing today - and not with the failings of the outside world.

...

Even if you disagree with the vaguely libertarian premise outlined earlier - that governments should not regulate professions in absence of exceptional social benefits of doing so - the other important question is whether there exists a body of stable, scientific knowledge that could be enforced as a part of a professional licensing scheme; if not, then the entire philosophical argument is moot. The apparent failure of commercial certifications systems - a fact confusingly pointed out and then subsequently completely ignored in the CSIS report - may offer an important clue: are the existing schemes inadequate and weakly embraced simply because people who administer them are incompetent quacks? If not, then perhaps, something more profound is amiss - and a new, shiny licensing scheme is not going to change that.

Read More