December 14, 2024

A Roadmap for Forgers

In the recent hooha about CBS and the forged National Guard memos, one important issue has somehow been overlooked – the impact of the memo discussion on future forgery. There can be no doubt that all the talk about proportional typefaces, superscripts, and kerning will prove instructive to would-be amateur forgers, who will know not to repeat the mistakes of the CBS memos’ forger. Who knows, some amateur forgers may even figure out that if you want a document to look like it came from a 1970s Selectric typewriter, you should type it on a 1970s Selectric typewriter. The discussion, in other words, provides a kind of roadmap for would-be forgers.

This kind of tradeoff, between open discussion and future security worries, is common with information security issues – and this is a infosecurity issue, since it has to do with the authenticity of records. Any discussion of the pros and cons of a particular security system or artifact will inevitably reveal information useful to some hypothetical bad guy.

Nobody would dream of silencing the CBS memos’ critics because of this; and CBS would have been a laughingstock had it tried to shut down the discussion by asserting future forgery fears. But in more traditional infosecurity applications, one hears such arguments all the time, especially from the companies that, like CBS, face embarrassment if the facts are disclosed.

What’s true with CBS is true elsewhere in the security world. Disclosure teaches the public the truth about the situation at hand (in this case the memos), a benefit that shouldn’t be minimized. Even more important, disclosure deters future sloppiness – you can bet that CBS and others will be much more careful in the future. (You might think that the industry should police itself so that such deterrents aren’t necessary; but experience teaches otherwise.)

My sense is that it’s only the remote and mysterious nature, for most people, of cybersecurity that allows the anti-disclosure arguments to get traction. If people thought about most cybersecurity problems in the same way they think about the CBS memos, the cybersecurity disclosure argument would be much healthier.

Comments

  1. This is probably offtopic, but according to this article, it seems likely that those Bush memos were authentic after all. Or if they were forged, they were forged using a typewriter and not a word processor–either way makes Mr. Felten’s first paragraph equally moot.

  2. “Actually, drug labs do reveal exactly what they test for.”

    I don’t think so. See, for example http://www.nytimes.com/2004/09/18/sports/othersports/18olympic.html:

    “Dick Pound, the chief of the World Anti-Doping Agency, confirmed yesterday that athletes were tested for human growth hormone for the first time during the Olympic Games in Athens.

    “Olympic and drug officials were purposely circumspect about the test for the hormone before and during the Games.

    “Pound said yesterday that the samples could be preserved and retested ‘if there is a possibility that future knowledge will help us have a better test.'”

  3. Actually, drug labs do reveal exactly what they test for. That is why there are “banned substances” lists, which any competitive athlete is darn well aware of. I’m sure the methods used to detect, say, amphetamine in urine, are well-known by lab technologists, and published in the open literature.
    In pre-employment drug screening as well, the specific substances tested for are literally spelled out on a consent form, which the prospective employee not only is (gasp!) allowed to read, but actually *signs*. A world in which that which is illegal is not known, except by the prosecution, was well-described in Kafka’s “The Trial”. I don’t know about anyone else, but I do not want to live in it. The jury is still out on whether it’d be cool to be a big beetle, though.

  4. Do you also think that labs which test athletes’ blood and urine samples for performance-enhancing drugs, etc. should reveal what they are looking for, and how their tests work?

    Not knowing what can be detected–like not knowing whether today is the day a ticket inspector will board your bus–seems like a pretty good deterrent.

  5. PrivacyWatch says

    To Steve:
    No need to outlaw coat hangers when you can just make talking about them unlawful. Although, perhaps in California we can make giving away coat hangers without providing your email address illegal.

  6. A friend of mine said it aptly when MSFT first began the anti-disclosure campaign in earnest a few years ago: I think we can stop car theft by outlawing coat hangers.

  7. Roadmap for forgers

    Ed Felten writes that the discussion of the CBS memogate will no doubt prove instructive to future forgers. “There can be no doubt that all the talk about proportional typefaces, superscripts, and kerning will prove instructive to would-be amateur forg…

  8. PrivacyWatch says

    As far as forging goes, there is no reason you couldn’t create a Selectric typewriter font, including the same spacing, that would be completely convincing once it was converted to a fuzzed fax or photocopy.

    The real problem is that no document, printed or digital, is inherently geniune. The ubiquity of mechanical and digital type and of reproduction methods makes every document a possible forgery.