Re: New Internet for Security

[John Bambenek <bambenek.infosec () GMAIL COM>]

I'm not sure why this topic keeps coming up... the problems we face are
not technical in nature and by extension cannot be solved with technical
solutions.  It is consistently mentioned that a patchwork of global laws
hinders our ability to prosecute criminals.  Sure, this is true.  But
that's a feature of globalization.  A global marketplace requires a
global body to set the rules of engagement and no one wants to go
there.  We want all the benefits of globalization but none of the
"consequences" and the internet is just one manifestation of this
ongoing problem.  (And mind you, I fall on the political side of
significant distrust for global bodies).

Fraud is easy because our mode of economic transactions was never
reconsidered for the electronic world.  For instance, we have a national
ID in the United States, it's a nine digit number printed on a piece of
paper that's laughable to forge.  Worse yet, all it takes is mere
knowledge of that number to effectively assume someone's identity.  We'd
laugh someone out of our offices if they confessed having a nine-digit
number as a password.  However, our economy uses only a 9-digit username
that's effectively public (let's be honest, the entire balance of
numbers is more or less owned by now) without a password.

The same is true for financial transactions, it's all based on "what you
know"...

Philosophically, we've responded to these threats by cementing ourselves
like 12 steps behind the bad guys.  We do nothing until an attack is
successful and money starts being stolen.  And then we simply apply a
"signature" that will stop yesterday's attack.  If you wish to use the
information warfare moniker, it's as if we've stepped on the battlefield
committed to only playing defense and then acting shocked, absolutely
shocked that we cannot win.

There are some technical tools to be brought to bear, but by and large
these aren't technical problems.  If we can build a fraud model around
it, we simply build it into the cost of doing business and pass it down
the consumer.  Sorry about that.

If we want to solve this problem, the solution isn't fad-ish investments
in creating a new internet, it starts with slowing down this mad rush of
slapping crap online because it's new and sexy without even considering
the implications of what we are doing.  We dropped e-Commerce on the
world like we dropped Little Boy on Hiroshima.  Before then, you'd have
to forge a credit card and start walking to a store or making phone
calls.  Pretty easy but darn tedious to really make bank.  Insert
computers and now you can do millions of transactions because mundane
and repetitive transactions are the kind of things computers are really
good at.

Solutions?

Sure, it's time to tell the libertarian bitter-enders we've had a
national ID for decades and short of remaking society, there is no way
to get rid of some authoritative "widget" to verify someone's identity
for the purposes of making transactions.  We've got PKI, it isn't a
difficult technical problem to solve compared to the political problems.

We need to stop being afraid to get out ahead of attacks and shut down
entire avenues of exploitation.  How about verified e-mail?  Pick a
solution, there are plenty.  How about we stop assuming that the
end-user PC is secure for making electronic transactions because
end-user PCs (almost by definition) are insecure and insecurable.  Let's
stop putting sensitive information on them.

Let's start disrputing the criminal syndicates.  They deploy botnets
that start stealing credit card information, let's flood them with fake
(or even better, "real" ones that allow us to follow the money)
financial account information.  Let's drive down the profit of stolen
financial information to a mere pittance of what it is today.  In short,
let's drive a stake in the heart of their business model and start to
make them respond to us instead of us waiting until they slap us around
for a few days and then deploying an AV signature that's stale the
second it hits the wire.

j



Theresa Rowe wrote:
>  http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th
> <http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th>
> Do We Need a New Internet?
>
> "Bad enough that there is a growing belief among engineers and
> security experts that Internet security and privacy have become so
> maddeningly elusive that the only way to fix the problem is to start
> over."
>
> Do you think it is really that bad?
>
> --
> Theresa Rowe
> Chief Information Officer
> Oakland University