May 10, 2007

Leadership, the very definition of fraud, and the court of security ideas

It's been a bad week for security leaders. Bruce Schneier has been lambasted for asking whether we need a security industry at all, Ross Anderson published an article "commissioned by the Federal Reserve" that was riddled with errors, and now the chief security researcher of one of the leading security firms, Mikko Hyponnen, proposes a lame duck idea.

I feel very conflicted. On the one hand, I applaud these people for airing some opinions -- we need open discussion and new ideas. On the other hand, there is a serious difference between conjecturing in a scientific sense, in order to spark some serious debate, and selling snake oil.

The latter is often the result of moral hazard. As Ross Anderson complains about banks, when we sell a false statement such as "our systems are secure, so it must be your fault," then our own standards slip due to our own beliefs, and eventually we get the reverse of what we are selling.

Fair enough, but this moral hazard also applies to the writer of security ideas. I feel very strongly about this, as ordinary users are paying for this! When someone gets phished, they lose a lot. Of time, reputation, credit, etc etc. Sometimes money, and at least someone loses the money in a successful phish.

Maybe Schneier is really saying "With leadership like this, you'd be better off without a security industry?"

When a company starts selling "security" ... or merely writing about it ... then maybe we need to consider the liability for this. Class action suits are already in play, and I think it is only a matter of time before software vendors also find themselves responsible for their fraudulent sales by one means or another.

Maybe it is time to call a spade a spade. Forget snake oil. Call it fraud!

The very definition of fraud is discussed by Joseph T. Wells, perhaps America's most voluble presenter on the subject:

Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim’s reliance on the statement and damages.

I'd suggest that you read the entire article.... Several times! Meanwhile, let's cast the definition of fraud over one of the ideas facing us today, the suggestion of a .bank TLD.

Do we have a material false statement?

The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason—something like “.bank,” for example.

What is false about that? Specifically, a .bank TLD does not give any vestige of security at all, as discussed earlier. That's one tick in the box.

Showing "intent" is harder it seems, so let's refer to JTW again:

There is no such thing as an accidental fraud. What separates error from fraud is intent, the accidental from the intentional. Assume [the] statements contain material false statements: Were they caused by error or fraud? The problem with proving intent is that it requires determining a person’s state of mind. As a result, intent usually is proven circumstantially. Some of the ways we can help prove intent by circumstantial evidence include
  • motive, ...
  • opportunity, ...
  • repetitive acts, ...
  • witness statements, ...
  • concealment. ...

Only the last is clearly not present, as publication of the idea in foreign policy is pretty much out in the open :) Motive is clearly present:

Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn’t be just a few dollars: It could be something like $50,000—making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.

That's an invitation for someone to make some easy money if ever I saw it. That looks like the sort of rewards only seen in crime.

Opportunity is generally open but hard, in that anyone can submit a proposal to ICANN and create a TLD, in theory. Repetitive acts ... would depend on who is doing this, and as this is simply an idea being floated, we can't pinpoint anyone. Witness statements are also dependent on the idea turning into practice.

I would then call "intent" a cautious positive. If this idea was turned into reality, we can suggest motive and opportunity.

Next, JT Wells says "a victim's reliance on the statement." Well, that seems a slam dunk, if you've ever worked with banks. As a quick generalisation, they are only capable of doing security thinking in the most extreme of contexts, and they frequently rely on outside companies with a reputation in security sales to advise them.

Finally, damages will follow in due course, in any actual phishing attacks. It isn't necessary for us to predict these, simply to say that if they occurred , the rest of the discussion will complete the claim.

This isn't a court of law, and even if it were, we are unlikely to find an idea fraudulent. However, it seems plausible that we can apply the same test that the lawyers do. In that sense, it seems that the idea of a .bank TLD, if it were taken forward as a security proposal, would run the risk of being ruled as fraud.

Posted by iang at May 10, 2007 04:26 PM | TrackBack

Can you comment further on the flaws of Ross Anderson's article? (Or did I miss an earlier post that covered this?)

Posted by: Toby at May 10, 2007 10:10 AM

But here's what I noted up until I stopped counting:

"Since about 2000..." no, work was done before that, and the realisation was widespread, just in different places.

"The critical change was..." no, the critical change was that villians worked out how to make scads of money.

"[Phishing] started in 2003..." no, it started against online FIs in 2001. Against e-gold! Also, it was a variation of something that existed before, going back to around 1997 from memory.

"By 2006 ... nine figures in the USA" No, we'd passed a billion per year by mid 2004.

"...and finally move them through a nonbank such as eGold or Western Union."

No, He tries to make the case that nonbanks are always part of the chain. Nonsense; they are only in the chain in some cases. In many cases, the banks are the all of the chain, but it ends with banks in strange faraway places.

The problem with a lot of these errors is that they feed directly into the conclusions, which are unsustainable, IMHO.

(And as everyone knows, I won't hesitate to criticise who he's trying to criticise.....)

Posted by: Iang at May 10, 2007 10:36 AM

minor topic drift in sci.crypt ng ... the thread was "open source voting" ... but the response was to some comments about financial industry having standards and standards bodies (this is before current state where sci.crypt is being bombed by somebody ... all the posts are really coming from the same id if you look at the hdrs) open source voting

Posted by: Lynn Wheeler at May 10, 2007 11:09 AM

Lynn, I guess you are talking about this bit:

part of this was because it was in the heyday of "PKI is the answer, now what is the question?" ... and the adding of digital certificate processing to existing payment transactions was resulting in factor of two orders of magnitude (100 times) bloat in both payload size and processing overhead:

the issue is more along the lines of risk adverse in disputes and where the burden of proof lies. a financial institution electing to not use a "standard" will find that they have a significantly more difficult burden of proof placed on them in any dispute/litigation. this has actually shown up in at least one litigation dispute in europe ... where the plantiff claimed damages (and prevailed) from financial institution in a an unexplained large financial transaction and only cited DES as still being used (after it had been depreciated). as a result, the burden of proof fell on the financial institution to prove that the continued use of DES could not be a factor.

there was some additional transformation when NIST announced that it no longer needed to create standards from scratch ... but could cite as standards, work done by other bodies ... like X9F (I think the first instance was x9.62 having to do with elliptical curve cryptography).

Posted by: Iang at May 10, 2007 11:33 AM

re: open source voting Leadership, the very definition of fraud, and the court of security ideas

aka the original post appeared to assert that the reason that the financial industry had "open" security standards was because that the standards were "open" to lots of people looking at them ... and potentially with all the examination, would result in identifying deficiencies and result in overall better security.

an alternative possible explanation was that in a dispute or litigation ... showing that there was conformance to (some) accepted standards ... reduced what needed to be established/proven (from scratch) in resolving the dispute ... aka the use of standards is a (at least partial) defense.

better defense (in litigation) and better security are not necessarily identical.

Posted by: Lynn Wheeler at May 10, 2007 02:20 PM

Cheers for that. The final point seems the most critical, but also the one for which we have the least evidence. Is there anything out there that suggests how often a nonbank is the final destination of phished funds?

In general, that looks like a good start to a rebuttal. Given Anderson's influence, a rebuttal might be a useful thing to produce.

Posted by: Toby at May 11, 2007 10:59 AM

I'd put bank phished funds vs e-gold phished funds it in terms of the animal kingdom ... Think about a blue whale vs any snake, even the biggest. That's about the size-range I guess represented by the situation.

Posted by: SnakeCharmer at May 11, 2007 02:02 PM

re: Leadership, the very definition of fraud, and the court of security ideas Leadership, the very definition of fraud, and the court of security ideas

the other part is that a lot of the industry is point-solution wonderkind patches ... that don't actually correct any problem but create a paradigm of life-long patches. open source voting

this somewhat tempts to stray into the subject nothing succeeds like failure ... referenced here: On cleaning up the security mess: escaping the self-perpetuating trap of Fraud?

and misc. post postings making reference to (problems with) security point-solution (patches) Why does my address appear as part of my name? Securing financial transactions a high priority for 2007 John W. Backus, 82, Fortran developer, dies

Posted by: Lynn Wheeler at May 12, 2007 11:28 AM

In response to Toby's question about bank v. non-bank channels, I've asked around for opinions. I'll post them if I get any ... but I wouldn't hold out much hope for a useful scientific answer. I suspect nobody has as yet given any serious thought to putting a number on the question.

Posted by: Iang at May 13, 2007 06:32 AM

Hi Ian,
this question would assume knowledge of money laundering felonies taking place, to know of same and to not report same is a misprison of a felony, something NO banker would "knowingly" do, or be one of the principals in e-gold currently under attack by US TREASURY/IRS/DOJ/DEA, etc..

any info you are likely to get will be heavily biased... (even prosecutions(failed attempts at laundering same))

FINCEN may have some current stats if u ask them real nice..

gwen - former banker/researcher...

Posted by: gwen hastings at May 13, 2007 06:35 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.