It's been a bad week for security leaders. Bruce Schneier has been lambasted for asking whether we need a security industry at all, Ross Anderson published an article "commissioned by the Federal Reserve" that was riddled with errors, and now the chief security researcher of one of the leading security firms, Mikko Hyponnen, proposes a lame duck idea.
I feel very conflicted. On the one hand, I applaud these people for airing some opinions -- we need open discussion and new ideas. On the other hand, there is a serious difference between conjecturing in a scientific sense, in order to spark some serious debate, and selling snake oil.
The latter is often the result of moral hazard. As Ross Anderson complains about banks, when we sell a false statement such as "our systems are secure, so it must be your fault," then our own standards slip due to our own beliefs, and eventually we get the reverse of what we are selling.
Fair enough, but this moral hazard also applies to the writer of security ideas. I feel very strongly about this, as ordinary users are paying for this! When someone gets phished, they lose a lot. Of time, reputation, credit, etc etc. Sometimes money, and at least someone loses the money in a successful phish.
Maybe Schneier is really saying "With leadership like this, you'd be better off without a security industry?"
When a company starts selling "security" ... or merely writing about it ... then maybe we need to consider the liability for this. Class action suits are already in play, and I think it is only a matter of time before software vendors also find themselves responsible for their fraudulent sales by one means or another.
Maybe it is time to call a spade a spade. Forget snake oil. Call it fraud!
The very definition of fraud is discussed by Joseph T. Wells, perhaps America's most voluble presenter on the subject:
Under common law, three elements are required to prove fraud: a material false statement made with an intent to deceive (scienter), a victim’s reliance on the statement and damages.
I'd suggest that you read the entire article.... Several times! Meanwhile, let's cast the definition of fraud over one of the ideas facing us today, the suggestion of a .bank TLD.
Do we have a material false statement?
The Internet Corporation for Assigned Names and Numbers, the body that creates new top-level domains, should create a new, secure domain just for this reason—something like “.bank,” for example.
What is false about that? Specifically, a .bank TLD does not give any vestige of security at all, as discussed earlier. That's one tick in the box.
Showing "intent" is harder it seems, so let's refer to JTW again:
There is no such thing as an accidental fraud. What separates error from fraud is intent, the accidental from the intentional. Assume [the] statements contain material false statements: Were they caused by error or fraud? The problem with proving intent is that it requires determining a person’s state of mind. As a result, intent usually is proven circumstantially. Some of the ways we can help prove intent by circumstantial evidence include
- motive, ...
- opportunity, ...
- repetitive acts, ...
- witness statements, ...
- concealment. ...
Only the last is clearly not present, as publication of the idea in foreign policy is pretty much out in the open :) Motive is clearly present:
Registering new domains under such a top-level domain could then be restricted to bona fide financial organizations. And the price for the domain wouldn’t be just a few dollars: It could be something like $50,000—making it prohibitively expensive to most copycats. Banks would love this. They would move their existing online banks under a more secure domain in no time.
That's an invitation for someone to make some easy money if ever I saw it. That looks like the sort of rewards only seen in crime.
Opportunity is generally open but hard, in that anyone can submit a proposal to ICANN and create a TLD, in theory. Repetitive acts ... would depend on who is doing this, and as this is simply an idea being floated, we can't pinpoint anyone. Witness statements are also dependent on the idea turning into practice.
I would then call "intent" a cautious positive. If this idea was turned into reality, we can suggest motive and opportunity.
Next, JT Wells says "a victim's reliance on the statement." Well, that seems a slam dunk, if you've ever worked with banks. As a quick generalisation, they are only capable of doing security thinking in the most extreme of contexts, and they frequently rely on outside companies with a reputation in security sales to advise them.
Finally, damages will follow in due course, in any actual phishing attacks. It isn't necessary for us to predict these, simply to say that if they occurred , the rest of the discussion will complete the claim.
This isn't a court of law, and even if it were, we are unlikely to find an idea fraudulent. However, it seems plausible that we can apply the same test that the lawyers do. In that sense, it seems that the idea of a .bank TLD, if it were taken forward as a security proposal, would run the risk of being ruled as fraud.Posted by iang at May 10, 2007 04:26 PM | TrackBack