Educause Security Discussion mailing list archives
Re: New Internet for Security
From: John Bambenek <bambenek.infosec () GMAIL COM>
Date: Sun, 15 Feb 2009 13:30:27 -0600
I'm not sure why this topic keeps coming up... the problems we face are not technical in nature and by extension cannot be solved with technical solutions. It is consistently mentioned that a patchwork of global laws hinders our ability to prosecute criminals. Sure, this is true. But that's a feature of globalization. A global marketplace requires a global body to set the rules of engagement and no one wants to go there. We want all the benefits of globalization but none of the "consequences" and the internet is just one manifestation of this ongoing problem. (And mind you, I fall on the political side of significant distrust for global bodies). Fraud is easy because our mode of economic transactions was never reconsidered for the electronic world. For instance, we have a national ID in the United States, it's a nine digit number printed on a piece of paper that's laughable to forge. Worse yet, all it takes is mere knowledge of that number to effectively assume someone's identity. We'd laugh someone out of our offices if they confessed having a nine-digit number as a password. However, our economy uses only a 9-digit username that's effectively public (let's be honest, the entire balance of numbers is more or less owned by now) without a password. The same is true for financial transactions, it's all based on "what you know"... Philosophically, we've responded to these threats by cementing ourselves like 12 steps behind the bad guys. We do nothing until an attack is successful and money starts being stolen. And then we simply apply a "signature" that will stop yesterday's attack. If you wish to use the information warfare moniker, it's as if we've stepped on the battlefield committed to only playing defense and then acting shocked, absolutely shocked that we cannot win. There are some technical tools to be brought to bear, but by and large these aren't technical problems. If we can build a fraud model around it, we simply build it into the cost of doing business and pass it down the consumer. Sorry about that. If we want to solve this problem, the solution isn't fad-ish investments in creating a new internet, it starts with slowing down this mad rush of slapping crap online because it's new and sexy without even considering the implications of what we are doing. We dropped e-Commerce on the world like we dropped Little Boy on Hiroshima. Before then, you'd have to forge a credit card and start walking to a store or making phone calls. Pretty easy but darn tedious to really make bank. Insert computers and now you can do millions of transactions because mundane and repetitive transactions are the kind of things computers are really good at. Solutions? Sure, it's time to tell the libertarian bitter-enders we've had a national ID for decades and short of remaking society, there is no way to get rid of some authoritative "widget" to verify someone's identity for the purposes of making transactions. We've got PKI, it isn't a difficult technical problem to solve compared to the political problems. We need to stop being afraid to get out ahead of attacks and shut down entire avenues of exploitation. How about verified e-mail? Pick a solution, there are plenty. How about we stop assuming that the end-user PC is secure for making electronic transactions because end-user PCs (almost by definition) are insecure and insecurable. Let's stop putting sensitive information on them. Let's start disrputing the criminal syndicates. They deploy botnets that start stealing credit card information, let's flood them with fake (or even better, "real" ones that allow us to follow the money) financial account information. Let's drive down the profit of stolen financial information to a mere pittance of what it is today. In short, let's drive a stake in the heart of their business model and start to make them respond to us instead of us waiting until they slap us around for a few days and then deploying an AV signature that's stale the second it hits the wire. j Theresa Rowe wrote:
http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th <http://www.nytimes.com/2009/02/15/weekinreview/15markoff.html?th&emc=th> Do We Need a New Internet? "Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over." Do you think it is really that bad? -- Theresa Rowe Chief Information Officer Oakland University
Current thread:
- New Internet for Security Theresa Rowe (Feb 15)
- <Possible follow-ups>
- Re: New Internet for Security Marty Manjak (Feb 15)
- Re: New Internet for Security Gene Spafford (Feb 15)
- Re: New Internet for Security Tracy Mitrano (Feb 15)
- Re: New Internet for Security David Shettler (Feb 15)
- Re: New Internet for Security Jeffrey I. Schiller (Feb 15)
- Re: New Internet for Security John Bambenek (Feb 15)
- Re: New Internet for Security Leo Song (Feb 15)
- Re: New Internet for Security Dennis Meharchand (Feb 15)
- Re: New Internet for Security Kevin Shalla (Feb 16)
- Re: New Internet for Security Hugh Burley (Feb 16)
- Re: New Internet for Security Keith Schoenefeld (Feb 16)
- Re: New Internet for Security Valdis Kletnieks (Feb 17)
- Re: New Internet for Security Valdis Kletnieks (Feb 17)