Thursday, December 29, 2016

"Women and Children First"

As we approach autonomous cars, some have posed the question "In accident avoidance should the car prefer its passenger or the pedestrian?"  It is posed as a difficult ethical dilemma.  I even heard an engineer suggest that not only does he not want to make the decision but that he would like Congress to make it as a matter of law.  

This is really just another instance of an ethical dilemma that humanity has faced forever.  It has many illustrations but one that has been used in teaching ethics is called the "life boat" problem.  If there is not enough room in the lifeboat for everyone, who gets in?  If there is not enough food and water, who gets preference?

The simple answer is "women and children first."  Human drivers will steer away from a woman with a baby carriage even if they do not have time to evaluate the alternative.  It is built into the culture, all but automatic, but the reason is that it is pro life.  Children are the future of the species.  Women can nurture and reproduce.  Men can sow but they cannot reap.  While the male role takes minutes, the female role takes months.  Life needs more females than males.

The reason that we do not apply this pro life rationale to the autonomous automobile is that we assume that the consideration is beyond its capability.  However, most of what one expects of an autonomous car today was beyond its capability a decade ago.  For the moment, most may not be able to consider all the factors we might like.  For example, they may not recognize age and gender, much less consider them.  Ten years from now, they certainly will.  

In this context it is useful to consider how such systems make a decision.  They identify a number of scenarios, depending upon the time available, assign an outcome and a confidence level to each, and choose statistically.  The kind of ties implied by the strawman dilemma will be vanishingly rare, even more so as the computers become faster and the number of things the can consider increases.  

Compare the autonomous car to the human driver.  In the two tenths of a second that it takes a young adult to recognize and react, the autonomous car will evaluate dozens of possibilities with as many considerations.  Like the human driver, the autonomous car may confront instances when there are simply no good options but the whole reason for using them is that they are less likely than the human driver to overlook the least damaging.  

Wednesday, June 29, 2016

The Role of Risk Assessment in Digital Security

The very idea of Risk Assessment has always been controversial.  I have been engaged in the controversy for fifty years. My ideas on the subject are well considered if otherwise no better than anyone else's.  I record them here.

I attribute the application of this idea to what was then called Computer Security to my mentors, later colleagues, Robert H. Courtney, Jr. and Robert V. Jacobson.  They did it in an attempt to rationalize decision making, more specifically the allocation of scarce security resources, to the then nascent field.  They did it in response to their observation that many, not to say most, security decisions were being made based upon the intuition of the decision maker and their belief, and a tenet of this blog, that security is a space in which intuition does not serve us well.  They wanted to bring a little reason to the process.

They could not possibly have known that in a mere fifty years that the resources applied to this effort would grow to the tens to hundreds of billions of dollars, that the safety and liberty of the individual, the health of public and private enterprise, the efficiency and resilience of our economy, and the security of the nations would turn on how effectively and efficiently we used those resources.  

So, at its core risk assessment is a decision making tool.  It is a tool that we use to answer the question "where to spend the next dollar of our limited resources?"  Courtney's Second Law says one should "Never spend more mitigating a risk than tolerating it will cost you." We will, do, make this decision, with or without tools.  We make it intuitively or we make it rationally but we do make it.  

At its most elaborate risk assessment is a very expensive tool requiring significant knowledge, skill, ability, and experience to use, more than most of us enjoy.  It should be used only for expensive decisions, decisions that are expensive to reverse if we get them wrong.  At its simplest, it protects us from making decisions based solely upon the threat, attack, vulnerability, or consequence de jour.  It protects us from intuition, from fear.

All that said, few of us are confronting expensive or difficult decisions, decisions requiring sophisticated decision making tools, risk assessment or otherwise..  We have yet to implement all those measures that we know to be so effective and efficient as to require no further justification.  They are what Peter Tippett calls essential practices.  Anyone can do them, with available resources, they are about 0.8 effective but work synergistically to achieve an arbitrary level of security. They fall in that category that we call "no brainers."  All we need is the will.  

Monday, April 25, 2016

Compromise of Credit Card Numbers

Recently FireEye published an intelligence report stating that a previously unknown cybercrime group has hacked into numerous organizations in the retail and hospitality sectors to steal an estimated 20 million payment cards, collectively worth an estimated $400 million on the "cybercrime" black market.

To a near approximation, all credit card numbers more than a few months old are public. The market price has dropped to pennies. We are all equally targets of opportunity. That any one of us has not been a victim of fraud is mere chance. They have so many that they simply cannot get to us all.

The brands are at fault for marketing a broken system, one that relies upon the secrecy of credit card numbers but which passes them around and stores them in the clear. Their business model is at risk. They have technology, EMV, tokenization, and checkout proxies, but the first is too slow for many applications and they are not promoting the other two to merchants or consumers.

Issuers take much of the fraud risk. They are attempting, with some short run success, to push this to the merchants.  However, with merchants and consumers, they share in the risk of our broken system.

As the referenced report suggests, bricks and mortar merchants, particularly "big box" retailers and hospitality,  are finding that both issuers and consumers are blaming them for the disclosure of the numbers. Issuers are charging back fraudulent transactions. and suing merchants for the expense of issuing new cards after a breach. Their systems are being penetrated and numbers ex-filtrated wholesale. Point of sale devices are being compromised, or even replaced, to capture debit card numbers and PINs. These are used to produce counterfeit cards.  Some of these are used to,purchase gift cards or get cash at ATMs. Merchant brands have been badly damaged by bad publicity surrounding breaches. While most of these merchants can resist compromise, there are more than enough to guarantee that some will fall. Merchants can reduce fraudulent transactions by preferring mobile, EMV cards, and by checking cards, signatures, and IDs but all but the first slow the transaction and inconvenience the customer.

Online merchants are the target of all kinds of "card not present" scams and take the full cost of the fraud. While it will not stop the fraud, the online merchants can both protect themselves and speed up the transaction by not accepting credit cards and using only proxies like PayPal, Visa Checkout, Apple Pay, and Amazon.

While, at least by default, consumers are protected from financial loss from credit card fraud, the system relies heavily upon them to be embarrassed by it.  At least on court has agreed to hear evidence as to whether or not consumers as a class are otherwise damaged when their card numbers are leaked to the black market.

All this is by way of saying that as long as anyone accepts credit card numbers in the clear, we will be vulnerable to their fraudulent use. There are now alternatives and we need to promote them, not simply tolerate them. Think numberless, card-less, and contact-less.

Monday, February 29, 2016

Encryption and National Security versus Liberty

In the 1990s, in what might be called the first battle of the Crypto War, the government classified encryption as a munition and restricted its export.  While opposing export in general, the government was licensing the export of implementations that were restricted to a forty bit key.  Of course, 56 bit was then the norm and, at the time, expensive for the NSA to crack.  

IBM had just purchased Lotus Notes and wanted to,export it.  In order to get a license, they negotiated an agreement under which they would encrypt 16 bits of the 56 bit message key under a public key provided by the government and attach it to the message or object.  This would mean that while the work factor anyone else would be 56 bits, for the government it would be only 40 bits.

Viewed today, 40 bit encryption is trivial; twenty years ago it was strong enough that, while the government could read any message that it wanted to, it could not read every message that it wanted to.  Said another way, it would be able to do intelligence, or even investigation, but it still would not be able to engage in mass surveillance.  

Moreover, we believed that the NSA only collected,traffic that crossed our borders, that it could not be used against citizens.  We believed that the government could keep,their private key secure. Of course, post "warrant-less surveillance," the routine breaches of government computers, including those of the NSA,and the exponential growth of computing power over a generation, this all seems very naive.  

However, I like,to think that it illustrates that it is possible to craft solutions that grant authorized access to the government, with a work factor measured in weeks to months per message, file, device or key, while presenting all,others with a cost of attack measured in decades or even centuries.   

It also illustrates the fundamental, application, and implementation-induced limitations of any such scheme, limitations that would have to be compensated for.  No such scheme will be fool-proof, nor need it be.  Like our other institutions and tools, it need only work well enough for each intended application and environment. 

Monday, February 22, 2016

US v. Apple

SUNDAY: Comey tries to downplay the dispute, arguing in his new statement that no precedent would be set if Apple would just go along.
"I hope folks will take a deep breath and stop saying the world is ending, but instead use that breath to talk to each other," he said.
"Although this case is about the innocents attacked in San Bernardino, it does highlight that we have awesome new technology that creates a serious tension between two values we all treasure — privacy and safety," he said, adding:
"We simply want the chance, with a search warrant, to try to guess the terrorist's passcode without the phone essentially self-destructing and without it taking a decade to guess correctly."
This sounds like capitulation to me. If this is now about the "victims," then the government made a serious mis-step in attacking Apple in the first place. However, the government's current position does not support a charge of "government over reach."
The issue of how far the government may go in coercing the unwilling and the un-involved to assist them in recovering evidence that they are otherwise entitled to is important and needs to be litigated. We should be glad that Apple is prepared to fight it. Perhaps not since Runnymede has the King had a more formidable adversary. However, this is not the right case to fight it on.
There is ample precedent for un-involved citizens to voluntarily assist the government. It would not be precedent setting for Apple to voluntarily assist with this one mobile in this one case. Apple should "declare victory and go home." It should do here what it can do and fight the government over reach issue when the government is more certainly guilty of it.