Monthly Archives: August 2004

Cliff Forts vs. Coordinated Mesas

Smithsonian Magazine published an interesting story (“Riddles of the Anasazi,” by David Roberts) about the ancient Anasazi of the Four Corners region of the U.S. southwest. For centuries they built buildings and roads and practiced agriculture and pottery. Then around the year 1200 they started suffering depradations by parties as yet unidentified who attacked them, killed them, and ate them; the evidence of cannibalism has become hard to refute.

At first the Anasazi reacted by building residences in increasingly hard-to-reach niches in cliffs. The example on the left is one of the last things they built on the cliffs; a wooden platform wedged into a rock face.

Eventually, at the end of the thirteenth century, the Anasazi abandoned their cliiff faces and moved to mesa tops to the southeast. At least three mesas, each of which could see at least one of the others.

“It was not difficulty of access that protected the settlements (none of the scrambles we performed here began to compare with the climbs we made in the Utah canyons), but an alliance based on visibility. If one village was under attack, it could send signals to its allies on the other mesas.”

The mesas did have perimeter defenses: they were 500 to 1000 feet tall, and they each had only one way in. But their individual perimeter defenses were not as extreme as back on the cliffs, and perimeters were only part of the new mesa defense system. Their descendants the Hopis still live on mesa tops.

Related to the question of Forts vs. Spimes, in this case ever more restricted fort perimeters did not work. What apparently did work was coordinated observations and cooperation. The analogy to the Internet probably does not need belaboring.


Pirates, Then and Now

Andy Oram has posted a review of Villains of All Nations: Atlantic Pirates in the Golden Age by Marcus Rediker, in which he notes that old-time sea-pirates (har har!) weren’t just criminals; they were to
some extent early capitalists and pioneers of social methods such as a form of social security. The more basic point is that pirates existed partly because the more traditional economic systems of their day did not provide some things that many people wanted. One could turn that around and say that the widespread availability of deep-sea vessels enabled global piracy.

What does this have to do with the Internet? It is a new sea with its own pirates, some of them easy to spot, such as terrorists and crackers, and others in legal limbo, such as p2p software providers and users. Some people say p2p software providers are pirates, but a court just said they aren’t.

The relevance to Internet risk management is that there will be various uses of the Internet ranging from clearly legal through grey o plainly illegal, some of which may affect your enterprise. These are just risks that need to be managed. In some cases legal measures may be appropriate. In others reputation systems may suffice to change behavior. For other cases, enterprises need to protect themselves via insurance or other financial instruments. Ignoring it won’t make it go away.


Data Objects: Forts (Geer) or Spimes (Sterling)?

Speaking the other week at different conferences, Dan Geer and Bruce Sterling provided different views of the future of Internet and world governance, or, more specifically, the continued involvement of meritocracy in it.

Dr. Dan Geer is a famous security expert with more than a passing interest in the big picture. Bruce Sterling is a famous science fiction writer with more than a passing interest in technological details. I read both their stuff all the time. It’s interesting to see them produce such variant prognostications.

Here’s Dr. Dan Geer:

“At the same time, increasing threat will, as it must, lead to shrinking perimeters thus away from a focus on enterprise-scale perimeters and more toward perimeters at the level of individual data objects. Security and privacy are, indeed, interlocking but, much as with twins in the womb, the neoplastic growth of the one will be to the detriment of the other hence the bland happy talk of there being no conflict between the two will soon be shown to be merely that. Finally, the Internet as a creature built by, of, and for the technical and ethical elite being no longer consistent with the facts on the ground, its meritocratic governance will yield to the anti-meritocratic tendencies of government(s).”

–Dan Geer, USENIX Security Symposium, 12 August 2004, page 20.

And here’s Bruce Sterling:

“ You might think, now that Hollywood slums around your gig, and even novelists show up, and Pixar drags Disney around by its big financial nose, that there were no new worlds to conquer for SIGGRAPH. But there’s one world that you direly need to conquer anyway. Even if hobbits win Oscars by the bushel full.

“Having conquered the world made of bits, you need to reform the world made of atoms. Not the simulated image on the screen, but corporeal, physical reality. Not meshes and splines, but big hefty skull-crackingly solid things that you can pick up and throw. That’s the world that needs conquering. Because that world can’t manage on its own. It is not sustainable, it has no future, and it needs one.

[After much development of the idea of spimes, which are objects that tell the user all about themselves and everything related to them….]

“The upshot is that the object’s nature has become transparent. It is an opened object.

“In a world with this kind of object, you care little about the object per se; that physical object is just a material billboard for tomorrow’s vast, digital, interactive, postindustrial support system. This is where people like you, your evolved successors, rule the earth. This is a world where the Web has ceased to be a varnish on barbarism, and where the world is now varnish all the way down.

“By making the whole business transparent, a host of social ills and dazzling possibilities are exposed to the public gaze. Everyone who owns a spime becomes, not a mute purchaser, but a stakeholder. And the closer you get to it, the more attention it sucks from you. You don’t just use it, any more than I can pick up this Treo and just make a simple phone call. This device wants to haul me into the operating system; I’m supposed to tell all my friends about it. We’re all supposed to become its darlings and its cultists, we’re all supposed to help out. Sometimes we do that willingly, sometimes we just fight for breath. We’re not customers. We’re not consumers. And with spimes, we’re not even end-users. We spend our time wrangling with the real problems and opportunities of material culture. We’re wranglers.”

–Bruce Sterling, SIGGRAPH, 9 August 2004

I suppose comparing them next to each other like this is not completely fair, since Dan was speaking about Internet security over the next decade, and Bruce was talking about the entire material world longer term.

Maybe they’re both right. Maybe first we have to go through a defensive regimented unsustainable period before we can get to a transparent integrated enhancing future.

Or maybe the details of what Dan was talking about are part of the way to what Bruce was talking about. If, as Dan recommends, we beg, borrow, or steal metrics from public health, accelerated failure time testing, insurance, portfolio management, and physics, and we distribute the resulting measurements with various forms of information sharing, plus take many of the measurements in a distributed manner, and connect that up with gizmos for people to use, don’t we get pretty close to Bruce’s spimes?

With Dan’s recommended always-on sensor network, crackers and terrorists won’t be able to sneak in exploits without them being known. This doesn’t mean exploits won’t happen; however it may mean that the perpetrators will be more likely to be caught, and faster. And that companies and individuals will have more incentive to install patches. And that vendors will have more incentive to not sell buggy software. And that insurers can better cover business losses that happen anyway.

In other words, maybe increasing threat leads not to shrinking perimiters, rather to expanding interdependence and transparency.

Security and privacy may or may not be a zero-sum game.

Security and liberty are not a zero-sum game.


Wise to Prepare for the Worst: $50B > $15.8B

In a previous post we saw that while ancient India under the Guptas had force majeure events such as flood, fire, and famine just like we do today, and that Kautilya in his Arthashastra expected the king (government) to step in, because insurance apparently hadn’t been invented yet. Recent news indicates that apparently insurance still isn’t much applied, not only in India, but also on the Internet:

“Residents in the Middle East who are sweltering in the heat and humidity must be baffled by the scope and ferocity of flood waters lashing huge parts of South Asia, including India, Bangladesh, reports of which are now being televised daily.

“How can nature be so discriminating that it punishes one part of the world with drought and penury while forcing evacuations elsewhere with floods?

“While billions of dollars are lost in these countries, which affects their national economies adversely, the insurance industry is left almost untouched as most of the goods and lives lost are uninsured.

“Conversely, in the United States, Canada, Western Europe and Japan, for instance, the insurance industry generally plays an active role in providing financial protection against such miseries.

“For this reason, natural calamities such as earthquakes and floods, even when they strike with their full might in the subcontinent and South-East Asia, do not hugely impact the global economic outlook.”

Managing Risk: Natural disasters: It is wise to prepare for worst By V.A. Tommy, Special to Gulf News

How do insurers handle such events in the countries that do use insurance widely for them? The article says that insurers support an index called the Tropical Storm Risk (TSR) that predicts how many hurricanes to expect.

“According to a research report released in February by Munich Re, the largest reinsurance company, insured losses from natural catastrophes totalled $15.8 billion last year, up 37.4 per cent over 2002.”

That’s a lot of money. But it’s less than the $50 billion worst case Internet worm risk for just the U.S. we saw in the previous posting.

If it is wise to insure against fire, flood, and storm, shouldn’t it also be wise to insure against cyber-hurricanes that could cause even more economic damage?


Worst-Case Aggregation: $100 billion

In the previous post we saw that the idea of aggregated damages is probably at least 2300 years old. These days we have means of aggregation that Kautilya never dreamed of, from ships to planes to telephones to satellites to the Internet. So what’s the most aggregation we can expect to see for damages on the Internet?

At a conference in May, two researchers attempted to answer that question wiith a paper:

“Worms represent a substantial economic threat to the U.S. computing infrastructure. An important question is how much damage might be caused, as this figure can serve as a guide to evaluating how much to spend on defenses. We construct a parameterized worst-case analysis based on a simple damage model, combined with our understanding of what an attack could accomplish. Although our estimates are at best approximations, we speculate that a plausible worst-case worm could cause $50 billion or more in direct economic damage by attacking widely-used services in Microsoft Windows and carrying a highly destructive payload.”

“A Worst-Case Worm,” Nicholas Weaver, Vern Paxson

This $50 billion dollar estimate is actually conservative. The paper was supposed to have three authors, not two; the third author thought a higher estimate should be included.

Also, the estimate given is only for the United States. About half of the Internet is outside the U.S., so it is probably safe to assume that total worldwide damages would be even higher. A simple linear multiple of 2 may not be accurate, since the rest of the world isn’t as closely connected topologically the U.S. is. On the other hand, most of the Internet in the rest of the world is in Europe, Japan, East Asia, Canada, Australia, and New Zealand, all of which are tightly connected within themselves and closely connected to the U.S. The Slammer worm, for example, did not respect national boundaries.

So there is good research to indicate that the fears some Fortune 500 CEOs have of a $100 billion dollar risk are very well founded.


Traditional Security: the Arthashastra

According to tradition, around 300 B.C. Vishnagupta Kautilya wrote a book called the Arthashastra in which he spelled out in exhaustive detail the methods of statecraft, economics, law, war, etc. that he recommended, and that he had used to make Chandragupta Maurya emperor of India. Missing nothing, he identifies force majeure events in much the same way we do today:

Calamities due to acts of God are: fires, floods, diseases and epidemics, and famine.

Other calamities of divine origin are: rats, wild animals, snakes, and evil spirits. It is the duty of the king to protect the people from all these calamities.

He recommends the government be the guarantor not only of last resort but of first resort:

Whenever danger threatens, the King shall protect all those afflicted like a father and shall organize continuous prayers with oblations.

And he recommends specific measures:

All such calamities can be overcome by propitiating Gods and Brahmins. When there is drought or excessive rain or visitations of evil, the rites prescribed in the Atharva Veda and those recommended by ascetics shall be performed. Therefore, experts in occult practices and holy ascetics shall be honoured and thus encouraged to stay in the country so that they can counteract the calamities of divine origin.

He provides a handy table of which deities to propitiate for which calamity, for example Agni the god of fire for wildfires.

To be fair, he also includes practical instructions for specific calamities, such as:

During the rainy season, villagers living near river banks shall move to higher ground; they shall keep a collection of wooden planks, bamboo and planks.

In addition, the King is to keep stores of food and seeds to distribute in case of famine. So Kautilya advises some collective action as practical insurance.

He also discusses relative seriousness of calamities, dismissing irremediability in favor of breadth of effect. Some previous pundits had ranked fire as the most serious, because it burns things up irremediably, but Kautilya ranks flood and famine as most serious because they can affect whole countries, followed by fire and disease, then by local problems such as rats. So the concept of aggregation as used by modern insurers is apparently at least 2300 years old.

Nonetheless, Kautilya does not mention pooling finances in a form that would be recognizable as insurance. That was a risk management strategy yet to be invented in India.

The Arthashastra by Kautilya, edited, rearranged, translated, and introduced by L.N. Rangarajan.Penguin Books, 1992.


FedLine: Advantage or Menace?

This story in the New York Post has been all over the net:



August 15, 2004 — With little fanfare, the Federal Reserve will begin transferring the nation’s money supply over an Internet-based system this month — a move critics say could open the U.S.’s banking system to cyber threats.

The Fed moves about $1.8 trillion a day on a closed, stand-alone computer network. But soon it will switch to a system called FedLine Advantage, a Web-based technology.

The story is quite confused. What is “a Web-based technnology”? Is it one that uses web pages for entry? Or is this typical confustion of the web with the Internet? And does FedLine actually run over the public Internet, or does it simply use Internet protocols over private leased lines?

The story doesn’t answer any of these questions. It also says:

“Patti Lorenzen, a spokeswoman for the Federal Reserve, said the agency is taking every precaution.

“Of course, we will not discuss the specifics of our security measures for obvious reasons,” she said. “We feel confident that this system adheres to the highest standards of security. Without disclosing the specifics, it is important to note that our security controls include authentication, encryption, firewalls, intru sion detection and Federal Reserve conducted reviews.””

Somehow I’m not comforted by the first and most frequently mentioned method being security by obscurity. And the mention of firewalls would seem to indicate that this service does run over the public Internet. Let’s see what Fed has to say about FedLine Advantage:

FedLine Advantage is coming!

“In recent years, we have announced our strategy to provide access to all Financial Services using web technology. We are pleased to announce FedLine Advantage, the Federal Reserve Banks’ next generation of service access, is on the horizon.

“FedLine Advantage will extend the use of web technology to provide access to critical payment services such as Fedwire Funds Service, Fedwire Securities Service and FedACH Services. In addition, FedLine Advantage will also enable the use of financial services that are currently accessible via FedLine Web, making it the access method of choice for Federal Reserve Financial Services.“

That Fed web page in turn links to a PDF of Volume 2 Issue 2 of the newsletter Fedfocus,
which is dated May 2004. Hm, it appears this is old news.

Fedfocus May 2004 defines Virtual Private Network (VPN) and Frame Relay, notes how
the former works over a public network and the latter does not, plus various kinds of encryption such as SSL, and various kinds of user authentication, such as passwords or USB. However, it never quite seems to say which of these technologies FedLine Advantage will use.

That issue of FedFocus does emphasize conversion from an MS/DOS earlier version. So it seems to be largely a user interface move. Which would indicate a change to a web interface, perhaps using the same underlying physical links as before.

If I had to guess, I’d say that they’d probably start with Frame Relay, and offer VPN service to those who want to risk it. And I’d guess that convenience would increasingly win out, resulting in many more VPN customers than FR ones.

Even if it stays completely on leased lines, there’s still the issue of the computers that are used to use the web interface. The Fedfocus issue mentions that an old version of Internet Explorer will no longer be supported for FedLine Web (a service currently in use) but newer versions of IE will be supported. What if someone compromises IE on such a computer?

I suppose what happens is that some transactions may get compromised. Of course the same thing can already happen if you use IE to access your bank account over the Internet, although the scale may be bigger. In other words, it’s the usual tradeoff of more convenience for somewhat more risk. Maybe this change will promote enough additional commerce through convenience to offset any losses from the increased risk.

That’s many smallish risks; not one huge risk of the entire Federal Reserve system being compromised all at once, as the newspaper article might lead one to believe. Well, probably not. I wonder if the Fed practices software diversity and topological and physical distribution of resources?

We’re moving into Tom Clancy territory here, and it’s already late as I type, so I’ll leave more on this to another day.

Suffice it to say that this is yet another case where technology alone will not completely manage risk, and non-technological means are also needed.


National Cyber Security Partnership

Here’s another organization of organizations, the National Cyber Security Partnership.

“The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts.

“Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public-private partnership was established to develop shared strategies and programs to better secure and enhance America’s critical information infrastructure.”

It has five task forces on various aspects of (mostly traditional) security, from user education to corporate governance to software. These are all things that need to be done.


Americans for a Secure Internet

Speaking of reputation systems, there’s a new player: Americans for a Secure Internet. It appears to be focused on education.

Members include organizations such as VeriSign, Ebay, ISS, and Technet, and individuals, although none seem to be named.

According to this InfoWorld article, apparently the new group has already had some success in obviating legislation through education.


McNamara on Security

I’ve mostly been writing about contemporary events or reports. Let’s go back 38 years, to 1966, and listen to U.S. Secretary of Defense Robert S. McNamara speak in Montreal, after he got over his earlier enthusiasm for applying scientific management and engineering to the military, and as he saw a different path forward:

“There is still among us an almost [in]eradicable tendency to think of our security problem as being exclusively a military problem–and to think of the military problem as being exclusively a weapons-system or hardware problem.”

This seems a lot like our contemporary Internet security problems: we have an ingrained tendency to think of them as technical problems. We keep adding more defensive systems, and sometimes things like spam blocking lists that amount to offensive systems.

Yet, as McNamara pointed out:

“The plain, blunt truth is that contemporary man still conceives of war and peace in much the same stereotyped terms that his ancestors did.

“The fact that these ancestors, both recent and remote, were conspicuously unsuccessful at avoiding war, and enlarging peace, doesn’t seem to dampen our capacity for cliches.”

Internet security problems keep getting worse no matter how many firewalls and patches and intrusions detection systems we throw at it. These things are all necessary, but they are not sufficient.

“A nation can reach the point at which it does not buy more security for itself simply by buying more military hardware. We are at that point. The decisive factor for a powerful nation already adequately armed is the character of its relationships with the world.”

McNamara goes on to say security is development, and to define development as economic, social, and political progress. I don’t think we can push our analogy that far. Crackers will attack just for the hell of it.

However if we abstract his point slightly, we can see the analogy. Some security problems are beyond the capabilities of a single company, no matter how large and capable the company. The power grid can fail; the telephone system can fail; and the Internet can fail. No single company can prevent those things, nor hurricanes, tornados, fires, and floods.

In the politics of nation-state security, McNamara says development is the answer and sometimes military force is needed to provide order so development can happen.

In corporate Internet security, other means are available, just as they have been since the seventeenth century: insurance and its relatives. A corporation can ameliorate its risk by pooling it with similar risks of other corporations by buying insurance, or using other financial risk-transfer instruments.

McNamara also said:

“The plain truth is the day is coming when no single nation, however powerful, can undertake by itself to keep the peace outside its own borders. Regional and international organizations for peacekeeping purposes are as yet rudimentary, but they must grow in experience and be strengthened by deliberate and practical cooperative action.”

In Internet security, cooperative action can include reputation systems such as the incident reports by CERT and US-CERT. It can also include more direct action by groups such as the Anti-Phishing working group.

The main point is the same as McNamara’s: companies can’t go it alone anymore in Internet security; various forms of cooperation are needed. These forms are new Internet risk management strategies, including financial risk instruments and reputation systems.

The following year McNamara resigned from the U.S. government and became president of the World Bank, attempting to implement what he recommended. (Whether the World Bank has succeeded is another subject.)

This speech by McNamara is surprisingly hard to find online; thanks to Dave Hughes for making it available:

“Security in the Contemporary World,”
Robert S. McNamara, U.S. Secretary of Defense,
before the American Society of Newspaper Editors,
Montreal, Canada, May 18th, 1966

It is apparently also recorded in the Congressional Record, May 19, 1966, vol. 112, p. 11114.