KasLog has a nice posting, “Identification, Friend or Foe, A Modern Lesson from the Military” which provides a few humorous examples of how an understanding of the difference between Friends and Foes might benefit various industries.

Military aircraft carry electronics to help pilots identify targets as friend or foe (IFF). The reason is simple: Shooting at friends is unhelpful, to borrow a term from diplomacy.

IFF for the Entertainment Industry

Case in point, the movie I just watched on DVD. I paid for it, yet I had to first endure a message targeted at pirates. Meaningless spam that wastes my time. Not once, but twice; first in English, then in French. So instead of saying: “Hey, thanks for buying this movie. Hope you enjoy it. We’re looking forward to having you back.” The message they want paying customers to see is: “Hey, you scumbag, don’t steal our stuff. We know you’re dumb enough to pay for this, which obviously means you can’t be trusted. The guys with guns are on our side. Beware!”

It’s useless. It’s insulting. Has this prevented even one person on the planet from illegally copying movies? No, of course not. Real criminals know what they are doing. Assuming the big pirates in Asia and the Middle East can decipher that legal gibberish, do they care? I know, a trick question; just kidding.

Now I know that a fair amount of DVD stamping and package assembly is performed in Asia, where some shops allegedly have been used “after hours” to produce copies of the same content they produced legally during the day. When I was in Bejing last week, I personally saw stores filled with pirated DVD’s (both first-run and DVD titles) being guarded by the local police.

According to the MPAA, piracy losses globally were over USD $3.5 billion in 2002 (USD $168 million in China) with 15-20% growth rates, which would lead us to have reasonably expected global losses of almost USD $5 billion and losses in China of USD $241 million in 2004.

If the Movie Industry was really serious about stopping piracy, they wouldn’t punish the consumers who pay them their hard-earned money. Instead, they’d punish the economies of governments that look the other way when it comes to large-scale piracy by refusing to spend money on plants, equipment, and staff there.

(Of course, it might also turn out that if the legitimate business left, they’d go over to the Dark Side full-time, but that’s outside the scope of the Example-Sized Problem here.)

P.S. Another thing that Kas doesn’t consider is that the Military really isn’t any better at IFF than the industries he selects for his examples. Something like half of all casualties in close combat and Maneuver Warfare are “friendly” fire incidents (not that fire is ever “friendly,” especially if you’re the one who’s downrange). Throw in the added complexity of multinational forces where the equipment and uniforms might or might not be familiar and the situation rapidly goes to Hell in a Handbasket.

This article from CSO Magazine is one of the better columns I’ve read in a long time.

Written by a CSO who remains anonymous for unfortunately obvious reasons, he (I’m assuming it’s a he, though it could just as easily be a woman) calls out the current US defense policies for the costly, counterproductive mess that they are.

as security professionals, we should be the first to face facts about the limitations of the very processes we advocate.

I love this column even more because it almost reads like a direct application of my “3 1/2 Question” model to the problem of National Security priorities.

First, he looks at whether or not this is a problem we have. As compared to the myriad other problems which take American lives each year, Terrorism is not a major problem.

Let’s assume, first of all, that the ultimate goal of security is to prevent the loss of lives. In this risk management approach, then, the first thing to look at is the leading causes of death in the United States. The total number of deaths from all attacks on Sept. 11, 2001, was approximately 2,988, according to the National Center for Health Statistics.

The 9/11 deaths were classified within a category called assaults/homicides, which was the 13th leading cause of death at 20,308.
…
eight of the top 10 causes of death are health-related… Could those billions of dollars have saved more lives if they had been spent on health research or on making health care available to a larger percentage of the population?

Next, he looks at whether or not the solution solves the problem and concludes that it probably doesn’t, pointing out that all of the Doomsday Scenarios (sail a nuke-laden boat into any major harbor, etc.) still exist despite all the spending.

Probably. But, you might ask, what about the costs of another successful terrorist attack? Another terrorist attack using say, a nuclear device, could result in hundreds of thousands or maybe even millions of deaths—not to mention having a catastrophic effect on the nation’s economy and environment. That’s true. But ask yourself this question: Have the billions of dollars spent on additional security since 9/11 made this kind of attack impossible?

Third, he considers whether this is all cost-effective…and concludes it’s not.

Spending hundreds of billions of dollars on increased security is not going to bring back the victims of 9/11, and it isn’t going to improve by very much our already heightened vigilance against terrorism. … As a nation, don’t we already spend more on national security than the next 10 nations combined?

Yes, there are terrorists still out there in the world, but I’ve got news for you: There have always been terrorists in the world, and there always will be—no matter how much money we spend fighting them.

Finally, he tackles the opportunity costs of all that spending, either reduced deficits, increased support for education and research or for solving larger health and safety issues, and suggests that the money would be better spent elsewhere.

Sure, my natural inclination as a CSO is to believe that if some security is good, then more security is better. But logically, I can’t help but think that it’s time for us to turn our attention to other types of threats. There is no end to them. Deteriorating educational performance, a declining manufacturing base and a lack of medical coverage for millions of Americans are but a few of the threats facing this nation. These issues are now far more likely to cause significant damage to the future health, safety and welfare of Americans than a crippled al-Qaida hiding in the bowels of the mountains of Afghanistan.

The Cold War ended because the Soviet Union finally reached the point where defense spending as a percentage of GDP became unsustainable. In the end, it was not about military might but about the Opportunity Costs of constantly preparing to fight a war that both sides knew neither side was capable of winning.

General Motors and the US Steel industry are both about to blink out of existence due to unsustainable healthcare costs for their workforces and retirees. That the opportunity for the United States government to reform healthcare as a mechanism to restore US competitiveness is consistently ignored boggles my mind. In this case, what is good for GM is truly good for the nation. So why does the Business-friendly administration oppose it so?

Meanwhile, the United States has become obsessed with constantly arming itself to fight a War On Terror that cannot be won, only controlled. In the meantime, as the column’s author points out, the foundations of future competitiveness such as infrastructure, education and basic reasearch are being badly neglected so we can focus our resources on fanning the flames of hatred overseas.

William Lind has written a significant volume of commentary on the ineffectiveness of trying to fight a “traditional” war against stateless adversaries like terrorists. His writings should be mandatory reading for both hawks and doves. He understands both the seriousness of the threat and the appropriate responses.

While it doesn’t look nearly as good on TV, multi-lateral police and intelligence work does a lot more good than invasions if the goal is capturing the perpetrators of terrorist attacks. The fact that is does so without alienating and inflaming the populations that then produce more terrorists is just an added bonus. It’s a lot harder to get worked up enough to commit violence over the fact that someone you’ve never met was arrested with a bomb than the fact that there is a foreign army’s tank parked in your front yard.

It’s old news that the on-line dating site True.com has greatly irritated their competitors, primarily Match.com with their blatant rent-mongering attempts to get legislation enacted which would require every online dating site but themselves to post warning labels over all their profiles:

Vest [CEO of true] has managed to convince legislators in states including California, Texas, Virginia, and Michigan to sponsor bills that would target rival dating sites like Match.com, Yahoo Personals, Spring Street Networks, craigslist and eHarmony.

Those sites would be required to stamp this stark warning atop every e-mail and personal ad, in no less than 12-point type: “WARNING: WE HAVE NOT CONDUCTED A FELONY-CONVICTION SEARCH OR FBI SEARCH ON THIS INDIVIDUAL.”

Today, though, I found an On-line personals blog which has gotten into the mix with “James Houran, Ph.D., Chief Psychologist, TRUE.com” (whom I’ll trust to be legit based on his postings) and representatives of numerous other sites all mixing it up for our voyeuristic pleasure. It really starts to get good about half-way down the page when Houran starts to run out of prepared talking points.

What it all comes down to is that True went for a high-cost variation of the on-line dating business model (real cost to conduct a background check of every member) and it’s not panning out.

I was Match.com’s Information Security Manager in a former life, so I know a little more about this than the Guy On The Street. True should have asked some of those Product Development people they hired from Match what the Lifetime Value of a Registration was. I don’t feel I’m at liberty to say, but I will say that in the current pricing environment, it’s not enough to turn a profit if you run a criminal background check on all of them, even if you get some sort of volume discount.

So True took an existing business model (meet people on-line), tacked on what they hoped would be a perceived added value (criminal background checks of members), and discovered that the numbers didn’t actually work. The pages of Red Herring, Fast Company, and Business 2.0 are littered with the corpses of companies that meet this description, some more famously than others.

Really, Pets.com could be described the same way: Take an existing business model (sell stuff for pets) and add a twist (put it on-line), then discover that numbers don’t work (you can’t make a profit UPS’ing a 50lb bag of dog food).

What True.com is doing, however, is not only ineffective–they use ChoicePoint, after all–but actually quite stupid from a Risk perspective. By selling a Sense of Security, they are creating a population of people who will be more complacent because they feel secure.

Thus, True.com has a business model which is based on on encouraging people to assume risk they might otherwise not. Sounds like an invitation to a lawsuit if ever there was one to me.

On my way home from Bejing on Friday, I had to change planes in Tokyo. And since I was changing airlines from JAL to American, I also had to change terminals. This involves taking a bus from Terminal 2 (where JAL arrives) to Terminal 1 (where American departs).

The Japanese take their security pretty seriously. You get screened (X-ray and metal detector) both on leaving the first terminal and entering the second terminal. This seemed a bit excessive unless they were afraid I was going to hijack the bus using the metal knife that JAL gave me to butter my breakfast roll.

What amazed me, however, was how you could authenticate yourself to be allowed on the bus to the other terminal in one of two ways.

The first way was by showing your Passport and boarding pass for a flight departing Terminal 1, just as if you were entering from the outside world. This seemed not unreasonable and would also prevent anyone from accidentally getting on the bus if they weren’t supposed to.

The other way was with a “connecting bus ticket to terminal 1.” As you can (barely) see:

this is just a photocopied slip of paper and all I had to do was walk up to the JAL employee standing in front of a list of flights leaving Terminal 1, point at one of them, and was handed this slip of paper.

Once I had my “bus ticket”, I was exempt from producing my boarding pass and passport to prove I should be allowed at Terminal 1.

So what I would love to know is what the goal of this process was? If it was simply to make sure that people didn’t get on the bus to Terminal 1 by accident, then why did people need to show their passports along with their boarding pass? If it was to re-authenticate that only people who were supposed to be going to Terminal 1 did, then why was I allowed on the bus with my completely unauthenticated Bus Ticket?

There is obviously a significant discrepancy between the “quality” of the two forms of Identity, yet they were used interchangably. People who didn’t get a Bus Ticket were pretty strongly authenticated–they had to prove both that they had a need to get to Terminal 1 (their boarding pass) as well as demonstrate that they were the owner of that boarding pass. People with a Bus Ticket, however, were effectively not authenticated at all.

How many security systems can you think of with similar design flaws? Do they require too much authentication in some cases or allow unauthenticated users to be treated as authenticated in others?

Lastly, why does it seem to be so hard to do this stuff right?

This is going to be a slow blogging week for me. I may get an entry out, but probably won’t. Things should return to normal next week, though.

There is an actual editorial in today’s New York Times Identity Thieves’ Secret Weapon

ut for a single innovative law in California, the nation’s consumers might not even be hearing some of the more outrageous news about mass heists of supposedly secure computer information from reputedly trustworthy sources: LexisNexis gently announces about 32,000 suspected thefts of identity data, which soon balloon to 310,000. ChoicePoint, a data broker and credit reporting agency with access to 19 billion records, lets 145,000 consumers know their personal data may have been stolen.

These are among hundreds of thousands of warnings to vulnerable Americans surfacing mainly because California has a law requiring that consumers be notified when their personal data are pilfered. There is no such federal law, even though identity theft produces $50 billion a year in personal and business losses. As California’s consumers play the canary in the data mines, consumer and law enforcement organizations are putting pressure on loosely regulated data brokers to let the rest of us in on their failures. But this is hardly the way to safeguard the American consumer.

Recent Senate hearings show that no one really knows how deeply hackers and in-house thieves are tapping into our personal records. There was the purloining of Ford Motor Credit reports on 30,000 consumers so street thieves could empty bank accounts and run up purchases. Computer backup tapes were lost at the Bank of America with the Social Security numbers and other vital data of 1.2 million federal workers.

Worthy proposals, starting with upfront, nationwide notification of security breaches, are being offered by senators from some of the most victimized states: Dianne Feinstein of California, Bill Nelson of Florida and Charles Schumer of New York. The nation also needs tight regulation of the security and business practices of data brokers and credit agencies, and a ban on the easy access and sale of Social Security numbers without individual consent. Consumers, not data dealers, deserve controlling interest in their vital information.

Indifferent lawmakers cannot say they have not been warned.

(emphasis mine)

Go Times! Whle this probably seems like a pretty tame call to action to those of us down in the trenches, this is still a significant step forward when the NYT says it’s time to regulate data dealers.

You can generally count The Register to tell it like it is, combining news and analysis into a nice sixth-grade-reading-level package for people like myself. Today, they had an entertaining summary of ChoicePoint and Lexis-Nexis’ congressional testimony.

[Republic Senatory Arlen] Specter wondered aloud how a company official with enough authority to serve as liaison to law enforcement in such a matter could fail to appreciate its significance and inform others. “I can’t explain it,” [ChoicePoint President and COO Douglas] Curling allowed. However, there have been only “45 or 50 breaches,” in all, he added.

That’s funny Doug…I can explain it and I don’t make anywhere near as much as you. Maybe I’m in the wrong line of work. Basically, Doug, you don’t give a damn about the subjects in your database because they don’t pay you money. ChoicePoint, on the other hand, incents you to do things like say pretty much anything, including claiming you don’t know what the Hell you’re doing running a commercial data brokerage, rather than admit to any mistakes or wrongdoing.

I’ll be the first to admit that every industry has persistent, ongoing attacks on their business models. Retailers have shrinkage and Point-of-Sale fraud. Bars and restaurants have spillage. Data Aggregators have Identity Theft Fraud-by-Impersonation. Notice the key difference, though…Shrinkage, POS Fraud, and spillage all hit the company square in the bottom line. Identity Theft Fraud by Impersonation and attempts to prevent it expand, if anything, the demand for data services like Choicepoint. See anything wrong with this picture?

According to Curling’s statement to the committee, they’re doing three things for their victims and making four internal changes to address the problem. From his testimony:
(more…)

When Bruce Schneier dismissed Two-Factor Authentication as a solution to identity theft, he was widely vilified, mostly by people who either didn’t understand his reasoning. Now, he’s clarified those comments nicely:

What two-factor authentication won’t do is prevent identity theft and fraud. It’ll prevent certain tactics of identity theft and fraud, but criminals simply will switch tactics. We’re already seeing fraud tactics that completely ignore two-factor authentication. As banks roll out two-factor authentication, criminals simply will switch to these new tactics.

Security is always an arms race, and you could argue that this situation is simply the cost of treading water. The problem with this reasoning is it ignores countermeasures that permanently reduce fraud. By concentrating on authenticating the individual rather than authenticating the transaction, banks are forced to defend against criminal tactics rather than the crime itself.
…
Two-factor authentication is a long-overdue solution to the problem of passwords. I welcome its increasing popularity, but identity theft and bank fraud are not results of password problems; they stem from poorly authenticated transactions. The sooner people realize that, the sooner they’ll stop advocating stronger authentication measures and the sooner security will actually improve.

I had my criticisms at the time. If the core of the Identity Theft Fraud-by-Impersonation problem is poorly-authenticated transactions, then weak authentication mechanisms are still the root of the problem. We’re now widely in agreement that Two-Factor Authentication won’t solve the problem. Let’s move along to what is.

Currently, in the United States all you really need to authenticate yourself as posessing a Financial Identity are the target’s name and Social Security Number. The problems solved by Two-Factor authentication only come in to play after that initial, weak authentication. That is not a password problem, that is a systemic problem.

Authentication proves identity. The strength of the authentication mechanism defines the confidence level that I am, in fact, the entity I’m claiming to be. Name and SSN, Mother’s maiden name, Drivers’ License, Username and password, PGP keys, number generating key-fobs, fingerprint readers and retina scanners all produce different levels of confidence that the remote entity is whom they claim to be. Each of them comes with its own benefits and sets of risks. To attempt to pick one society-wide standard from even this incomplete list, however, is foolish.

As I see it, the core of the problem is that Identity is not actually tied to me as a person–it’s tied to data in various databases. That’s not necessarily a Bad Thing. Sure, it’s argued that Biometrics would solve that problem but I’m actually not very comfortable with that solution. The unintended consequence here becomes that if we ever actually succeed in tying Identity to its owner, then we can no longer decouple it in the situations where we’d like privacy or anonymity. Yet another example of “Security is a Trade-Off.”

Each authentication mechanism has costs, attacks, and risks associated with it. Passwords (something you know) can be forgotten or stolen without your knowing it, but are easily changed. Biometrics (Something you are) can be extremely difficult to forge but cannot be changed on-demand (but can change over time), fail due to injury (how do you read a fingerprint through a band-aid?) or in the worst case, cost you that finger. Number-generators and private crypto keys (something you have) raise the bar significantly for compromising account but can be lost or stolen, are difficult to support or change, and are generally not shared between different authenticating entities.

If I’m worried about someone breaking into my existing on-line bank account, that’s a very different problem than trying to prevent the general abuse of my Financial Identity through Identity Theft Fraud-by-Impersonation and the considerations should vary accordingly.

The key thing to remember is that security solutions are safeguards against specific threats. Unfortunately, very few people seem to understand the relationship between Risk (understanding and quantifying the potential loss if a threat comes to pass) and Security (taking action to take to mitigate risks). Most people jump straight to the Security piece since it’s both more interesting and more likely to produce some vendor freebies.

Suggesting two-factor authentication as a cure for Identity Theft Fraud-by-Impersonation is attempting to fit a technology solution to a systemic problem, which is what I think Schneier has been trying to get at all along.

I first saw this over at Emergent Chaos but settled for reading the short version over at The Register where they discuss the theft of two computers at San Jose Medical Group containing 185,000 patients’ records.

As usual, a spokesman says it was just the computers they were after:

“We believe they were stolen because of the kind of computers they were and not because of the information,” [vice president of information technology for the San Jose Medical Group, Mike] Patel said, noting that there have been no reports of patients’ personal or financial information having been compromised.

How stupid do they think we are? The computers were stolen on March 28th, he made that statement sometime before April 8th, just over a week later. It often takes months or more for people to realize that they were victims of identity theft. Throw in the facts that the new owner of those laptops is probably smart enough to sit on the data for a little while, that it takes some time to get everything ready to tear through an Identity, and the fact that just because they haven’t heard doesn’t mean it didn’t happen, and this statement looks even more like wishful thinking at best and flat-out lying at worst.

Getting back to th incident itself, according the the NetworkWorld Fusion article

The computers were taken from behind locked doors at the administrative offices of the San Jose Medical Group on March 28, after thieves broke through the doors.

So I’m supposed to believe that someone broke through a locked interior door on the off chance there was some hardware behind it? I believe a lot of things, but that’s not one of them. This thing reeks of “planned inside job,” not “target of opportunity.”

Wake up, IT and Corporate Managers of the world, and realize that the contents of those hard drives can be sold for Real Money. This is not about the hardware. Used computer hardware is pretty much worthless if you can’t still smell the chemicals leaching out of the plastic, especially when devalued to the ten cents on the dollar that a fence is going to pay for it. A laptop with 185,000 sets of PII including the holy grail of Identity Theft Fraud by Impersonation, the Social Security Number, on the other hand, is potentially worth well over a million dollars in the hands of someone who knows how to abuse them.

The value of data is still too abstract a concept to most people–they can understand that having a laptop stolen means the owner no longer has a laptop. Comprehending the idea that you can have something stolen and yet still have it, as is the case with the data on these laptops or, according to the RIAA, music on a Peer-to-Peer network makes people’s heads hurt.

The person who actually committed the theft and may eventually be prosecuted for it probably doesn’t appreciate what they just did, but I’d wager that the person who paid them for it has a keen understanding of what he or she just bought.

Good luck to you. All 185,000 of you. I’m afraid you’re going to need it.