[Cryptography] Opening Discussion: Speculation on "BULLRUN"

----- Forwarded message from "Jeffrey I. Schiller" <jis@mit.edu> -----

1. [...] In general the consuming public cannot tell the
     difference between “good stuff” and snake oil. So when presented
     with a $100 “good” solution or a $10 bunch of snake oil, guess
     what gets bought.

Or there might be 2 good solutions for certain security functions around
$100. And 10 different flavors of $90 snake oil,and plenty of $50, $100,
and $120 snake oil flavors. The world is full of salespeople and marketers;
and the snakeoil salespersons are just as great as the "good stuff"
salespeople ---- also, with more resources to devote to sales, than
engineering; the snakeoil salespersons have more time and resources
available to look at their competitors' merchandising, and make the
snakeoil bottles on the store shelves are the ones that look the most
appealing to the potential buyers.

A wary buyer should not believe the salesperson, but demand a thorough
long-term critical review (a 30 day demo of some product is not sufficient
duration to discover that it's totally bunk).

2. Security is *hard*, it is a negative deliverable. You do not know

     when you have it, you only know when you have lost it (via
     compromise). It is therefore hard to show return on investment
     with security. It is hard to assign a value to something not
     happening.

This is because it doesn't make sense to say that security itself has a ROI
in the first place.
IT security is risk management --- therefore, in isolation security means
nothing:
security is a way of mitigating fundamental risks that are improbable
events that are
nevertheless certain to happen eventually (given enough time) that have an
average negative
ROI.

There is a fundamental tradeoff between risk and return: If you spend NO
money on security,
lawyers, to help structure the business to avoid liabilities, and other
protections such as insurance
then you INCREASE return; in the short term, you will most likely have
much greater profit,
if you don't bother with any insurance, lawyers, or security.

It all works fine, until there is a disaster, someone files a lawsuit, or
you have a breakin.

For example: by not purchasing insurance on your business assets; you
avoid spending
insurance premium dollars. This increases how much money you make (your
return),
as long as nothing bad happens.

However, not buying insurance, or not paying the costs of security greatly
increase the risk
that the business incurs a loss because something bad happens.

Furthermore, spending a lot of money on security reduces return, BUT also
reduces the risk.
Security does not have a ROI, but it does have a tradeoff.

That tradeoff should be understood using the language of risk management,
not profit/loss. And there is no reason people can't understand that....
after all; they do understand, what happens if you don't pay lawyers to
help your enterprises comply with the law, or draft successfully binding
contracts.

You should expect to spend amounts on security per year, commensurate with
the costs of insuring
those data assets against the liability that would be incurred if they were
tampered with or leaked to the public;
granted, plenty of orgs are much more likely to have an internet-based
security breach than a fire or a flood,
therefore, the risk you take on by not spending on security is possibly a
larger risk.

2a. Most people don’t really care until they have been personally

     bitten. A lot of people only purchase a burglar alarm after they
     have been burglarized.

Most people purchase homeowners' insurance.

Vehicle insurance is mandated by the state in many cases.
I wonder if someday; a similar per-PC mandatory purchase will someday be
required for computer security.

3. As engineers we have totally and completely failed to deliver
     products that people can use. I point out e-mail encryption as a
     key example. With today’s solutions you need to understand PK and
     PKI at some level in order to use it. That is likely requiring a
     driver to understand the internal combustion engine before they
     can drive their car. The real world doesn’t work that way.

Yes. This is a total nightmare.

Before Joe consumer can send an encrypted mail; he has to either go to
some command line and gpg --gen-key
or go to Xyz CA corporation, buy a personal SSL certificate for some
expensive per-year premium $10 or more...

and then go through a lot of trouble to figure out how to import that into
the browser, and manually repeat this process every 1 to 3 years that his
certificate expires; the process Joe has to go through to S/MIME enable
every copy of his mail client on all his different computers, and his
webmail provider, is even more complicated.

Before anyone can send Joe an encrypted message; Joe somehow has to get
all his correspondents to manually import a copy of his certificate.

This is clearly miles outside the realm of possibility for the average
Windows user.

With regards to the 10$ snake oil security product versus the real one
at $100: since the NSA can break both, they are both worth worth $0 in
terms of privacy.

From a business/corporate point of view, there are two aspects:

1- Image: If your weak security has allowed a data breach to become
public (such as TJ-Maxx) then you have damage to your image. But TJ-Maxx
has survived and average person forgot about millions of credit card
numbers having been stolen from its databases.

If the NSA snoops on your systems to see what kind of underwear Ossama
Bin Ladin buys and where he has them delivered, there is nothing your
company can do about it. Either you don't know it is happening and NSA
will never make it public (no image problem), or you got a warrant and
were forced to do it (some image problem, but you can say your hands
were tied and shift blame to NSA)

2- Real cost: if you're a bank, and someone intercepts a letter of
credit or payment transaction to find out how much a corporate customer
pays for widgets, that customer can sue you for breach of
security/confidentiality (since its competitors now know what deal he
has negotiated to buy those widgets). The lawsuit against the bank has
real costs (not only lawyers, but settlement as well). It becomes easier
to cost justify security when you can put real costs to not having security.

So risk management is an important factor in both cases.

BUT, when you get to general public, the equation changes:

For the general public, a burglary is a good analogy. You can easily put
value to the stolen TV set and replace it. But this isn't what happens
when the NSA spies on your private communications and you have no real
measurable damage.

The damage you get is akin to losing your family pictures or the feeling
of having been violated because someone came into your home and rummage
through all your personal stuff and not knowing exactly what they will
do with your personal items and why they stole them. Putting a value to
this is next to impossible. Risk managememnt becomes impossible, except
at the politival level.

If the NSA intercepts private emails between a husband and his mistress,
the husband can't know if the NSA will ever use this against him. This
fear remains because the NSA night hold on to these emails for a long
time (or might not).

And at the political level, Obama made it clear in a recent speech that
he hopes this will blow over and that he will be able to convince
americans that the NSA is doing good things. Their political staffers
evaluated the risk that this might backfire and figured it wouldn't.
This has nothing to do with selection of technology to guard against the
NSA' it is all about political public opinion.

Here is what the politicians forget:
Because the economy is moving to the internet, losing trust in the
internet is akin to losing trust in the banking system.

I am not sure network operators have much of a choice. Sure, someone
like Bell Canada will hopefully review their no-peering policy in Canada
(forcing so much traffic to route via USA), but for other networks there
isn't much they can do to prevent NSA from accessing any/all data while
in transit.

What is really needed is for an intelligent debate by politicians on the
need to preserve trust in the internet and whether preventing a couple
of bombs is really worth the loss of trust and freedom due to
implementation of measures worse than what "1984" predicted.

Since intelligent debate by politicians is impossible, the other way to
change things is to seriously deprive any politician who supports
excessive spying by NSA of any money and chance to be re-elected.

Imagine the good publicity AT&T and/or Verizon would get if they were to
announce that they are ceasing all political contributions to any party
or individual politician who supports the indiscriminate data collection
done by NSA.

And this might be enough to tilt the table and get politicians to start
to criticise the NSA and call for measures to limit its spying.

If the last five years have left anyone with a shred of trust in the banking
system, then the Internet is in no danger of becoming untrusted due to the
recent revelations.

- Matt