We have often discussed how threats arise and impact security models. The hugely big question is whether to include this threat or this other threat? I think there is a metaphor to address part of this question - whether a threat is a clear and present danger. Let me meander in that general direction before I try and define it.
We cannot include all threats as to some extent everything is a threat - a chance of stubbing ones toe, a harsh word from your spouse, a neighbour looking over the fence, the theft of your notebook. Removal of all threats would result in death of the soul, and can probably only be accomplished by death of the body.
So we must choose - which threats to protect against and which to accept. We give it the exotic title of risk management, but a more common definition is real life: we can only live by choosing to accept the greater body of the minor threats to us, and minimising the dangerous ones.
How we choose which threats to address is based on many factors. Some are easy - we can defend against them for free. Others are so cheap that we don't notice, or they come with substantial other benefits. So, to preserve our modesty, we wear clothes - and that keeps us warm so we get the security for free. Except in summer, where humans are exposed to interesting social games between the threat model of modesty and the heat of the sun, which raise for some deep questions as to whether nudity is the threat, or is the modesty? But then winter comes again and the argument is shelved for another year.
Other threats are not so easy nor so endearing to discuss. These are the ones that run slap bang into costs. The canonical case in financial cryptography is the MITM - the man in the middle attack -- and its defence in the SSL protocol. I think I have shown in compelling, albeit long winded, terms, that this threat was not valid and not worth protecting against in the application sometimes known as ecommerce. It raised many costs, one amongst them being a heightened risk of MITM in another form - phishing. See many rants on that elsewhere.
One of the things that came out of that long research into SSL and its failure to preserve the very harm it was intended to protect is the concept that a threat should be validated. I only had a hazy idea that this meant that we should be able to prove its danger to us, clearly, enough for us to protect against it.
Now, in addressing the emerging threat of eavesdropping, the question arises whether it is validated? We can see it, we can feel it - it is in the papers and the blogs and in the "denials." But is it validated?
I think not. Until we know how much it is, we don't know how what the risk of it happening to us is, and therefore we do not know how much to spend protecting against it. We simply do not know -- yet -- how much the eavesdropping is going to cost us, either individually or as a society. So we are not informed enough to make economic decisions.
But wait! I've laid out a case that the danger of eavesdropping is right there in front of us -- how can we possibly ignore it? Let's look a little further.
The possibility of eavesdropping by national agencies has always been there. I first heard of Echelon in the early 80s -- so far back in time that I can't recall where or when it was mentioned. But, I also knew -- or discovered at that time -- that it was ineffective. That is, it did not achieve the dream of the technologists at the UKUSA agencies. (For the answer to why you probably need to resort to computer science and the emergence of datamining.)
So we know that eavesdropping has always been there, in Internet time. It is present. But also, we know that traditionally, societies did not permit the eavesdroppers to share that information. History is replete with examples where the spooks were not permitted to pass valuable local intelligence to the authorities, and no doubt they all have stories about how they know who the killer was in this or that unsolved murder case.
So we know that however effective the eavesdropping was, it wasn't dangerous to us because it was so tightly constrained that it would never be passed into general society. That was the quid pro quo, the deal with the devil.
And indeed, that is what has changed -- the eavesdropping information is now being shared across a wide group of agencies. It's only a step away from being commercially shared, once you can pick and choose which agency to pervert. So it is now dangerous to society - to you, me and everyone - because there is always someone with money to pay for data that we are trying to keep private.
But we lack clarity. As a community of Internet engineers, we still do not know how much this danger is going to cost us. I simply do not know whether to drop everything I'm doing and start working on cryptoplumbing again, or whether for the most part, someone can still hide in the noise levels of the net? We lack clarity, or clearness, in our threat.
Out of which thoughts gives me a general definition for a validated threat: Is it a clear and present danger?
Eavesdropping is Present and Dangerous. It is not yet Clear, so we are now challenged as a community to measure it. Once we can inform ourselves of the clarity of the threat, we can declare it to be a validated threat - a clear and present danger. We're not there yet, but at least I can propose a definition on how to get there!Posted by iang at June 19, 2006 05:56 PM | TrackBack