May 22, 2024

Posts Comments

Wiley's Super-Worm

October 29, 2002 by

Brandon Wiley writes about the possibility of a “super-worm” that would use sophisticated methods to infect a large fraction of Internet hosts, and to maintain and evolve the infection over time. This is scary stuff. I have two comments to add.

First, the worst case is probably even worse than Wiley suggests. His paper may only scratch the surface of what a really sophisticated bad guy could do.

Second, Wiley’s paper points out the double-edged nature of basic security technology. The methods we use to protect ourselves against attacks – encryption, redundancy, decentralization, code patching – are the same methods that Wiley’s bad guy would use to protect himself against our counterattacks. To counterattack, we would need to understand the flaws in these methods, and to know how to attack them. If we ban or stigmatize discussion of these flaws, we put ourselves at risk.

Filed Under: Uncategorized Tagged With:

Slate: Nigerian Scam Emails Explained

October 23, 2002 by

Brendan Koerner at Slate explains why we’re all getting so many Nigerian scam emails. Most of them really do come from Nigeria, though the rest of their story is of course fictional.

Filed Under: Uncategorized Tagged With:

Discovery vs. Creation

October 8, 2002 by

Last week I had yet another DMCA debate, this time at the Chicago International Intellectual Property Conference. Afterward, I had an interesting conversation with Kathy Strandburg of DePaul Law School, about the different mindsets of DMCA supporters and opponents.

DMCA supporters seem to think of security technology as reflecting the decisions of its creators, while opponents (including me) think of technological progress in terms of discovery.

Two examples may help illustrate this distinction. First, consider the inclusion of a spell checker in Microsoft Word. This is a decision that Microsoft made. There is no law of nature saying that word processors must include spell checkers, but Microsoft evaluated the pros and cons and then decided to do it that way.

Second, consider Einstein’s statement that E equals MC-squared. Einstein didn’t decide that E should equal MC-squared, he discovered it. E had always been equal to MC-squared, and it would continue to do so regardless of what Einstein said or did. He didn’t create that fact; he was simply the first one to figure out that it was true.

I tend to think of computer security as a process of discovery. If I figure out that a certain system is insecure, that is a discovery. I didn’t make the system insecure; it was always insecure and all I did was to point out that fact. Nothing I did could make such a system secure, just as nothing Einstein did could have made E equal MC-cubed.

DMCA supporters sometimes seem to think of computer security as being the result of a collective decision by experts. It is as if we all, by simply acting as though a system were secure, could make it really be secure. If you think this way, then deciding to make a widely deployed technology insecure would indeed be a stupid and wasteful decision, and it might sensibly be banned. But if you think this way, then in my view you don’t really understand computer security.

When you’re making a film, or writing a song, or drafting a statute, or negotiating a contract, you’re making decisions. It might be natural for people who make films, songs, statutes, or contracts to try to apply their understanding of their own fields to the world of technology. They can decide that such an approach makes sense; but ultimately they will discover that it does not.

Filed Under: Uncategorized Tagged With: , ,

One More on Biometrics

September 26, 2002 by

Simson Garfinkel offers a practical perspective on biometrics, at CSO Magazine.

Filed Under: Privacy & Security Tagged With:

Washington Post on Biometrics

September 25, 2002 by

Today’s Washington Post has an article about the use of biometric technology, and civil-liberties resistance against it.

Interestingly, the article conflates two separate ideas: biometrics (the use of physical bodily characteristics to identify someone), and covert identification (identifying someone in a public place without their knowledge or consent). There are good civil-liberties arguments against covert identification. But the overt use of biometrics, especially in situations where identification already is expected and required, such as entry to an airplane, should be much less controversial.

There might even be ways of using biometrics that are more protective of privacy than existing identification measures are. Sometimes, you might be more comfortable having your face scanned than you would be revealing your name. Biometrics could give you that choice.

By implicitly assuming that biometric systems will be covert, the article, and apparently some of the sources it quotes, are missing the real potential of biometrics.

(Caveat: Biometrics aren’t worth much if they can’t reliably identify people, and there are good reasons to question the reliability of some biometrics.)

Filed Under: Privacy & Security Tagged With: