Friday, June 30, 2006

Semantic Web in a nutshell

A lot of people have been asking me about the Semantic Web recently. The first question is usually something like 'is the Semantic Web going to cause a security nightmare as information that is currently inaccessible becomes visible?' The next question is 'what is the Semantic Web anyway?'

Descriptions of the Semantic Web tend to either say so little that the point is lost 'the Web of Data' or quickly dive into the details here for example is Tim's own roadmap.

We have a Web of data today, the problem is that we cannot use most of it in interesting ways. The Semantic Web is about building a Web of knowledge. Knowledge is information we can use.

Most data that is on the Web today is designed to be read by humans. That is fine if the user already knows what they are trying to find. It works much less well when you are trying to find information through a search engine.

Consider the problem of finding a specific part for a refrigerator. If you type in "refrigerator parts" as a search term you will find a lot of places that sell refrigerators but a lot more that you don't want. Refrigerators appearing in films, people blogging about buying them, cleaning them, repairing them. What you really want is a way to restrict the search to only return sites that actually have refrigerator parts for sale. You probably want to go a stage further and restrict the search to distributors of parts rather than shops that mostly sell refrigerators but will be happy to sell you a valve that costs $1 to make and should cost no more than $5 to buy for $66.50 plus sales tax (I do not exaggerate).

Yahoo started as an attempt to create a taxonomy for the Web. The problem is that the Yahoo directory works the same way as a yellow pages with hundreds of people working on classifying Web pages. This worked in the early days when the Web had a few million users. The results are no longer very useful or current now that the Web has a billion users.

The answer is for people to describe the information that they put on the Web in ways that search engines and other tools that have not yet been invented can find it.

The last piece is the important part. A long time ago Yuri Rabinski and I got into an argument with Alan Kay which eventually turned into an argument between Tim Berners-Lee and Alan Kay. The day before Alan had criticized the declarative nature of HTML, asserting that the procedural model of postcript was superior because the data describes the way that it should be used.

The example is a good one because it proves exactly the point each side was making. Postscript is a superior language to HTML if all you want to do is to produce a printed version of the document. HTML supports a much larger range of uses. You can print it, show it on a graphics display or on a character cell terminal, send it to a PDA or convert it into speech. You can take the text, edit it and produce something new.

Which of these is 'better' depends on your point of view. If you are trying to produce the best technology to meet the needs you anticipate the postscript approach is best. If you want to prevent dangerous unauthorized uses of your technology then it is a lot better. If you want to allow the information to be used in the widest possible variety of ways then the HTML approach is best.

Semantic Web is about presenting data in ways that allow machines to do the type of work people do today. A lot of Web sites have addresses on them for hotels, businesses and so on. Some of the more thoughtful businesses add links to an online mapping site so it is easy to get directions. In the Semantic Web approach the address is tagged so that the Web browser can recognize that this sequence of data is an address and bring up the mapping tool of the user's choice.

The point here is not just a question of whether you want to choose between using Google Maps or Mapquest to find your directions. Both will do a fine job. Bringing up the tool of your own choice means that it can do things that the creator of the Web site could never anticipate. For example take those coordinates and send them to the GPS mapping unit in your car so that the destination is already programmed in when you start driving.

This naturally leads to the question we began with. Will the ability to make sense of information be used by Internet criminals?

As with all powerful technologies the Semantic Web can be used for good or for evil. In this case though the balance is firmly and definitely for good.

The Semantic Web is not really making more information available to the bad guys, it is merely making the information more visible. The Semantic Web will not cause people to put more credit card numbers on the Web. It may make it easier to answer questions such as 'what was your grandmother's maiden name' however.

This would be a real problem if security systems that depend on security through obscurity were working before the Semantic Web. The fact is however that they are already collapsing. We have to get rid of static passwords, static credit card numbers and the rest.

The potential benefits of the Semantic Web are much greater. Its not just the bad guys who can search for potentially compromising information. We can do that too. Information leakages will become more visible. There will be much greater incentives to avoid them.

The tools being built to support Semantic Web look remarkably like the tools we use to track down Internet criminals and for fraud detection. The difference between Semantic Web and what we do today is that Semantic Web makes it possible to share that information with other people in ways their systems can understand.

Today the bad guys adopt a divide and conquer strategy. They design their attacks knowing where information can be readily exchanged and where it cannot. Semantic Web gives us the tools to link our systems and unite them.

Friday Gorilla Blogging

Getting the remote control away from him can take some persuasion.

Thursday, June 29, 2006

Paul calling from 708-539-2373

Paul from the prize claim center is continuing to call people, it is still the number one search engine term for the dotCrime Manifesto and a staqgering 50% of site traffic is comming from searches on prize claim related search terms. That means that Paul must be pretty busy calling.

Paul does not respect the ban on calling mobile numbers nor according to this report the do not call list.

This appears to be merely traditional call center junk mail calls. But why is it taking so long to put a stop to them?

Wednesday, June 28, 2006

More voice phishing

The Register

I think this particular tactic will be short lived, that is email solicitation, voip capture of the credentials. It will take some time to get the first sites shut down but it won't take long to get a process set up. Telephone service is heavily regulated and there will be some to-ing anf fro-ing with writs at first.

There is a very small number of VOIP providers relative to ISPs though. In a very short time there will be a well understood process in place.

My big fear is what will happen when the solicitation goes out via VOIP. That is going to be easy to shut down once discovered but much harder to discover. We will have to rely on individual consumers contacting us to report the attacks. That is going to be hard to set up.

YouTube - How to Watch Porn


Tuesday, June 27, 2006

Supreme court to hear patent case

CNet reports that the Supreme Court is to consider standards for patent "obviousness"

This is long overdue for many reasons, not just because of the interminable number of ridiculous patents that have been granted but because the current system is failing the very people it is meant to serve. It now takes several years for the USPTO to even begin a patent examination. Prosecution takes even longer.

It is not surprising to see Cisco and Microsoft to be filing an amazes brief here. They both spend hundreds of millions of dollars each year filing patent applications they know they can never enforce. They know that if they do not file for a patent someone else will, and then they will send a demand for royalties. The real evil with defensive patents though is that the USPTO then has the gall to claim that their makework is evidence that the system is working.

What is more surprising is the addition of Hallmark to the brief, until you find out about the specific patent case they were the defendant in which involved a bizarre patent describing the most trivial variation imaginable on a 40 year old machine.

The brief itself is well worth reading. It puts the point across very forcefully that the granting of junk patents creates an anti-commons effect.

What is really interesting though is the slew of case law from the 1880s and 1930s showing how much stricter the standard for invention was in those days. There is no question that the Federal Circuit would have accepted each of the invalidated patents today.

I suspect that part of the problem here is the creation of a separate circuit to hear patent cases. The judges in the cases have become advocates for the USPTO in the same way that the USPTO has become an advocate for patent holders no matter how idiotically obvious their claims may be.

What is the scam?

There is a scam behind every spam. But what is the scam here?

They could simply be selling porn but it doesn't seem right for that. And it does not appear to be a pedophile ring. Most likely is that it is a chocholate and flowers recruitment to be a package reshipper or a money mover. Someone should be following these up to see what the scam is.

From: 'Brian'
User-Agent: Mozilla 4.75 [en] (Win98; U)
X-Accept-Language: en-us
MIME-Version: 1.0
Subject: want to meet?
Content-Type: text/plain; charset='us-ascii'
Content-Transfer-Encoding: 8bit

Dear fraiend,
I found yobur picture obn one of the websites, can we talk to
each other? I might be coming to your place in few weeks.
This would be a great opportunity to meet each other.
Btw, I am a woman. I am 25. Drop me a line at"

(Update) And another one...

i am here sitting in the internet caffe. Found your email and
decided to awrite. I might be coming to your place in 14 days,
so I decided to email you. May be we can meet? I am 25 y.o.
girl. I have a picture if you want. No need to reply here! as
this is not my email. Write me at

Ah.. got it, is an online pharmacy peddling Viagra. Reading carefully it turns out that it is 'generic Viagra' which is strange because the patents on Viagra are current everywhere. In any case sending the drugs to the US would infringe the patent holder's rights. The site has no SSL certificate which may be because it is a phishing site or it may be because the perpetrators don't want to be dealling with a lawsuit from the holders of the various patents they are infringing.

Monday, June 26, 2006

Verizon dumps AirPhone

So it turns out that there are not enough people willing to pay $5 a minute to make calls from planes. Verizon is dropping the business as it is due to loose its air spectrum license in 2010 anyway.

Russell Shaw blogs his own theory as to why this has happened - private jets. I suspect though that in our world of cheap telecommunications there is probably a limit to the number of CEOs willing to pay prices that just scream RIP OFF, particularly when there is noone else around to see you doing it.

I suspect that most people with private jets use their standard cell phone and to hell with the FCC regulations which were only imposed in the first place at the request of the mobile operators because their creaky networks could not deal with the pace at which the jets switched base station.

People will not use a technology if it is perceived as being excessively priced even if they can afford the prices. The same sort of thing happend at new year 2000. For years the media built up stories predicting excess built on excess. Of bands and babysitters planning to charge five to ten times their usual rates. In the event business during the millenial festivities was sharply down on previous years. The in thing became spending the night quietly at home.

Airphone was an utter failure at $5 a minute. I have used an airphone on precisely two occasions and someone else paid both times. I travel on planes a great deal, it is years since I have seen someone make a call.

I have my cell phone and mobile pager and so does everyone else I need to contact. I check messages up to the minute they close the aircraft door. If anything happens in the next six hours that requires urgent attention someone else can handle it. Airphone is useless for inbound calls anyway, how would someone know which number to call?

Airphone could have been a major success if they had been less greedy with the pricing model. People might have been willing to pay a dollar a minute. I suspect that they lost business when they came out with the low cost plan for Verizon customers, they hadadmitted that their actual marginal cost was way less than their charges.

The airlines made a similar mistake with business class. Before 9/11 the major airlines all treated the business traveller as if they had a bottomless wallet. The price for an economy round trip Boston to San Francisco was $2,500 without a saturday night stay. Business class was twice that and many companies paid business class as a matter of course. Today I can get a round trip ticket for the same route for $500 and business class is no longer an expectation. The first class areas have shrunk, separate business class is eliminated. The routes are no longer flown by wide bodied jets with three service classes.

People have an expectation as to what something should cost. Making it too apparent that you are actually pricing according to their ability to pay and the model will eventually collapse.

Tuesday, June 20, 2006

I was at the TIPPI workshop yersterday and proposed that we need a common threat model to evaluate proposals. Throughout the meeting someone would present a paper where 80% of the work and 95% of the interest was in area A and would then be asked about problem B.

Presenter shows plugin designed to explore the user interface issues:

"What about key loggers", "what about a man in the middle attack", "no the real problem is the authentication credentials", "the phishing criminals will just go into selling plots of land in the Florida", and so on.

In effect every single presenter was being evaluated on their ability to address the entire problem of Internet crime and to describe the solution in 30 minutes. That is not the way to go forward. We need to have a way for people to say what the problem they are going to solve. The place where we have the biggest gaps in our knowledge are in the dynamics of the human interaction. If someone is presenting a paper on their antiphishing toolbar I don't care that much about the security of their protocol, not unless we are considering global deployment of the toolbar in that exact form. We know how to do protocols, we can fix that. Its the human interaction I am worried about.

There are several problems here, when we are talking about digest algorithms we have an established vocabulary of terms, SHA-1 is not broken, it is subject to a compression collision attack but is still secure against the second pre-image attack. So when we are talking about S/MIME we say, no the SHA-1attacks do not compromise the use in that protocol but they are a sign we should start the transition process.

What we need is a simple taxonomy of four or five terms (5 = 7-2) that we can use to refer to the various attacks. When we are holding discussions in a public forum we should only attempt to address one or at most two of those terms in this group at once. Everything else should be out of scope.

When we bring the parts together we have to address all parts of the problem at the same time. But expecting everyone to be an expert in everything is simply not productive.

Strawman proposal:

Platform Layer Attacks

Keyboard loggers, mouse click and screen capture trojans are all serious security issues.

Building platforms resistant to those attacks are the sole responsibility of the O/S providers - Microsoft, Linux, Apple, Sun, Palm, &ct. It makes no sense for a standards working group to attempt to solve those problems. Preventing the circulation of malware is going to be the responsibility of the ISPs hosting the bots.

Network Layer Attacks

We have several people in the group who are cryptographers and/or network security protocol designers. There is a place to discuss that work, this is not it. There is no shortage of forums that are developing authentication &ct. protocols.

Trust Infrastructure Attacks

If we are going to stop phishing we are going to need a means of making sure that the site representing itself as Contoso bank on the net reall is the same corporation as the place where you opened the account abd handed over the check. This infrastructure is necessary, complex and I am currently sitting in the CA-Browser forum where we are discussing that exact problem.

User Interaction Attacks

How does the browser communicate the security context to the user?

Chrome Attacks.

How does the browser ensure that the trusted path used to communicate the security context is trustworthy?

Saturday, June 17, 2006

Why always $63.80?

OK, so we all know what this scam is about:

p>After the last annual calculations of your fiscal activity we have determined
that you are eligible to receive a tax refund of $63.80. Please submit the tax
refund request and allow us 6-9 days in order to process it.
A refund can be

delayed for a variety of reasons. For example submitting invalid records or
applying after the deadline.
What I want to know is why the amount is always $63.80. Why not mix it up a bit? $52.40, $83.20, hey why not brake the $100 barrier once in a while?

Have the perps all banded together and decided that the amount for this scam is $63.80?

I guess the idea must be that having told the target that they have a refund of $63.80 they can't change their story. Its kind of a nagging scam, keep telling them that they have a refund.

I am not the only person to get the same amount: [moonagewebdeream]

Thursday, June 15, 2006

Casio Exilim EX-S600 6MP Digital Camera

I bought this camera to supplement my Nikon D50. There is no question that the Nikon takes better pictures but it costs twice as much and you can't slip it in a pocket.

The pocketability factor is the big draw for the Casio. The S600 is astonishingly compact, about the size of a credit card and about a third of an inch thick. You can stick it in a shirt pocket and carry it about without knowing its there.

It also takes great photographs as well. The colors are not as good as the Nikon and it does not focus as well but they are better than any previous compact point and shoot digital camera I have used.

The Casio scores very highly on the other two points that are important to me: shutter lag and battery lag. For years I used to read reviews in digital camera magazines and wonder why they never mentioned the single biggest drawback to the cameras they reviewed: they would take a second or more to take a photograph after you pressed the trigger. Forget taking pictures of children or at a party and there was no hope at all of getting a picture of a moving subject.

The reason the reviews didn't mention the dirty little secret of the digital cameras of the day was they were all terrible and they didn't want to scare off advertising. The recent generation of digital cameras have changed all that. They are true point and shoot cameras, not point, press, make a cup of tea, drink it, pour another one and shoot cameras.

The other dirty secret of the earlier generation was that they sucked the life out of their batteries so fast Dracula would have been impressed. This made me a little nervous as I slotted the thin Casio battery into the Exlim. It's not much to look at, not much thicker than the SD memory card. And just to make you a bit more nervous about running out of juice the battery has to be plugged into the camera to charge.

Don't worry, I have taken a full 1Gb SD card of pictures without even having to think about charging it. Each 1Gb card givesw 350 high res, high quality shots or so. There seems to be little point changing the settings unless you are really pressed for space and with the 2Gb cards now selling for $50 that isn't very likely to happen.

The Exlim certainly can't compete on quality with the digital SLRs but it can certainly put in a respectable performance and certainly hold its own against other $300 cameras. Where it really scores though is in convenience, in that area it is absolutely flawless and (so far) unmatched. If thats what you need buy it.

Jonathan Rusch has a blog

Read it

Crime doesn't Pay

This article in baseline on Procurement Fraud has just been slashdotted.

But one point that really hit me in this particular case, the executive who ran the fraud received $25,000 in cash some number of times, an SUV, other gifts. The total haul was possibly as much as $100-$200K.

After being detected the exec was fired and lost a position that paid that amount each year and lost stock options worth $900,000. He is also facing a criminal trial and there is very little chance he will work for a public company in that type of position again.

There seems to be a compulsive element to these types of fraud. Recently a member of the cabinet was charged with shoplifting $3,000 worth of goods from Target using a refund fraud scheme. He certainly didn't need the money. Some suggest it was a response to the stress of holding that type of job. I suspect though that it is the need to take risks that is compulsive - similar to the compulsion that drives the gambling adict.

Wednesday, June 14, 2006

The last five digits attack

Yesterday I was out at NetSec doing my last speaking engagement I currently have scheduled for this year. I sat in on the presentation by Jonathan Rusch of the DoJ on Phishing.

Jonathan showed a phish where the target was shown a form with the first six digits of the credit card number were filled in 1234-56**-****-****.

The point is that the first six digits are the Bank Identification Number, they are known. The perpetrator asks the victim to fill in the rest.

This got me thinking about the security of receipts which have the last four digits and the cardholder name printed on them. In many cases the bank can be guessed from the location where the card is used. So all the perpetrator needs to guess is the remaining six digits.

The last digit on the card is a checksum that is dependent on all the other digits. This can be used in both directions, if you know the checksum and 14 other digits you can calculate the remaining digit. So all the perpetrator needs to do is to guess the other 5 digits.

For many small banks guessing the remaining 5 digits is easy, they are 00000, 00001, 00002 or for the larger longer established bank 00003.

There are two possible fixes for this problem: long and short. The long term solution has to be to get rid of the reliance on static account numbers for security entirely. Strong authentication such as Chip and PIN in Europe and OATH One Time Passwords, an account number that changes every time it is used are the way to go.

In the short term banks must make sure that their account numbers have sufficient randomness to make them unguessable even when four digits are revealed. Instead of putting the account number on the card put a value that is derived from the account number and a secret key in a cryptographically secure fashion.

(This has been edited since posting)

Sunday, June 11, 2006

Myspace, recruiters and bogus entries

The NYT has an article on recruiters who use MySpace to investigate applicants.

Most employers will probably want to avoid people who post aboust their fondness for blowing things up or shooting heroin.

What the article does not consider is wether the entry is genuine. I don't have a myspace entry, or at least I didn't until I created one a few hours ago for the Later Lord Byron. I changed the age a bit and left out the bit about his fondness for incest but even so is this the type of guy you want to hire?

You could do a real number on someone, post about their time spent in Pakistan as a Jihaddi or their spot of drug tourism in Nepal. The scope for inaccuracy here is much greater than with consumer credit reports which are abysmal.

When I was at Southampton the Conservative group used to boast about a blacklist they circulated to employers detailing alleged 'radicals'. The list was carefully maintained on paper to avoid regulation by the data protection act. When the list was finaly revealled it turned out that the students were more interested in listing members of rival tory factions than lefties. A similar effect was observed in the files of the East German STASI which had the same approach to personal freedom.

While this probably made the list more accurate than if they had been following the intended instructions it does demonstrate the problem. Reputation sources that lack accountability are inevitably inaccurate and unreliable.

Saturday, June 10, 2006

Yeah yeah

Yeah yeah, blogosphere is the new talk radio, yeah yeah yearly kos, blogs now dominate political talk, yeah.

But the most significant thing about the yearly Kos event is probably the fact that you can go hobnob with the most influential pols in the Democratic Party for not much than the price of a hotel room and travel to Vegas.

Compare that to having to raise $100,000 plus to get an invite to one of those BBQs.

The parties are not going to be owned by the campaign contributors for much longer.

Indictment Monday - Roundup of DoJ news

Being Monday it is time to go to the DoJ site and look at the latest indictment and sentencing news. I have been on the road so I have not done this for a while.

Kenneth Kwak got five months jail plus five probation for dropping backdoor onto a department of education machine. A couple of years ago this would have not merited prosecution. Now its time in the big house. Zero tolerance.

Jeanson James Ancheta, 21, of Downey, California 'Botherder' received 57 months plus another three years probation for botnet herding. Thats a total of eight years off the net. The principal scam was defrauding associate advertising schemes with bogus clickstream. He made $100K from that scam but only admits to taking $3000 from hiring out his botnet to others in 30 separate transactions. Botnet exploitation is much more lucrative than botnet herding for others.

Christopher Maxwell, 20, of Vacaville, California pled guilty to another botnet scam. No sentencing yet but he will be paying $250,000 in restitution and will be packing his bags for a stay in the big house for up to five years.

Shaun Hansen is the latest person to be indicted in the New Hamprhire Republican Party phone jamming incident. Three other consiprators, James Tobin, Allen Raymond and Charles McGee have all been sentenced to 10, 3 and 7 months respectively. While one might think that plotting to corruptly subvert an election should result in longer sentences than mere financial corruption these are actually pretty severe sentences for what was charged as a single incident. Regardless it is highly unlikely that we will be seeing very many other party activists who are willing to go to jail in order to help their candidate win.

877-256-7894 / 877 256-7879

I took a look at my statcounter pages. The number one search by far is for 877-256-7894 which means that Paul from the Prize center has been busy.

Question is why the scheme has been going on so long. I was called on a mobile number repeatedly. Why hasn't the FTC come down on this like a ton of bricks?

Even if this is just a timeshare scheme they are still making junk calls which is now illegal. I have had six calls from them all to a mobile.

Looking up the number on the web I found this report which is pretty wierd. The person decided to string them along, decided not to show up and then got some pretty wierd phone calls asking "Can I lick your *ussy". The company has posted on the same blog denying the allegation and claiming that everything they do is legal. But they would say that wouldn't they?

Friday, June 09, 2006

Indictments in the VOIP scam.

The DoJ has published the indictments in the VOIP scam reported recently. Pena Moore (via VOIPSEC)

The scam shows how bad security has a way of catching up with you eventually. The VOIP 'security' scheme relied on what was essentially a password to authenticate call connection requests.

The 'proprietary preffix' was too short to be an effective password. It is alleged that the perps brute forced the scheme trying six million prefixes before finding one that worked. This allowed them to place calls on the network for free. They then sold wholesale call connection services to other VOIP providers for a million dollars or so.

Martha Baer: On Identity Theft

Martha Baer has an article online On Identity Theft

Pretty scary stuff, but one of the comments caught my eye 'the three percenters'. That is the bottom three percent of the population responsible for the majority of crimes.

There are a billion Internet users.

That makes 30,000,000 three percenters.

Tuesday, June 06, 2006

Me want, well sort of

Rollei have announced a digital camera based on the Rolleiflex

It is a twin lens reflex with a large waist level viewfinder &ct. Only one problem, it only has a 2 megapixel sensor so unfortunately its not much more than a toy/fashion accessory. Certainly 2 megapixels is far too small for serious portrait work.

Monday, June 05, 2006

Ransomware - How do they cash out

The BBC reports that the Archiveus extortion virus code has been cracked. The scheme was somewhat naive in that every system that is attacked is encrypted under the same key so defeating the virus is not so challenging.

Various schemes to fix this particular issue have been proposed but none of these schemes appear to me to address the real weakness of the scheme which is how the perpetrators expect to get their hands on the money.

In the reported Archiveus attack the victims were directed to visit 'their' online pharmacy and buy something. Then they would get the key to decrypt their files. The perpetrators attempted to explain that they were not doing anything bad:

We do not want to do you any harm, we do not ask you for money, we only want to do business with you.

I doubt that a court would see it that way. Clearly this is extortion and clearly any party that knowingly facilitates the transfer of the proceeds of the extortion racket to the perpetrators should expect to be going to jail.

If I paid a ransom of that type I would immediately contact the credit card company and dispute the charge as extortion. At that point I would expect the card association would probably cancel the merchant account entirely. Either way the chance that the perpetrator would actually receive any of the extorted funds is very small.

One possibility here is that the online pharmacies are not accomplices in the fraud and the perpetrators are exploiting some sort of associate marketing scheme. Again this has the problem for the perpetrators that the length of time take to discover the fraud is much much less than the typical payment schedule for an associate marketing scheme. Most associate schemes pay quarterly and at best payment is monthly. It does not seem likely that any affiliate scheme would make cleared funds available within hours of a purchase being made. The organizer of any legitimate scheme is always going to wait for the funds to fully clear before making payments to affiliates.

Another mechanism that has been attempted for cashing out is to make use of the E-Gold anonymous Internet payment scheme or similar. The use of anonymous cash to facilitate extortion has been a very longstanding concern of regulators and people like myself.

In practice any commercial payment scheme has to ensure that it has the means to ensure accountability if it is to be viable in the long term. If E-Gold cannot work out where the extorted funds are being directed that is their problem and if they fail to deal with it there are plenty of US based regulators who are looking for an excuse to put them out of business permanently.

This is a rather easier thing to achieve than the supporters of anonymous cash believe. At root an anonymous cash scheme has the same weakness as an other unregulated bank: if the bank becomes illiquid the investors will loose all their money. Therefore it is prudent for investors to withdraw their funds at the least sign of a liquidity problem. Thus the 'run on the bank' which were so common in Victorian times before the principle was firmly established that the government be responsible for guaranteeing bank deposits and regulate a central bank that would always available as the lender of last resort.

There are plenty of ways in which an imaginative aggressive regulator could engineer such a situation. For example prohibiting transfers to or from the manager of the anonymous cash scheme. Pressure can certainly be applied on the Caribean states where such activities are typically located.

While Archiveus is certainly not going to be the last ramsomware virus it is unlikely that we will see a great number of these occurring unless and until the perpetrators find a way to solve the problem of cashing out. Until then the strategy of following the money will inevitably betray them.

Sunday, June 04, 2006

Bruce gets it wrong again

Bruce argues that we should Make Vendors Liable for Bugs

This is a common argument, make vendors responisble for bugs, they get their act together, hey presto no bugs.

Only one little problem: Vendors are already liable for negligence.

Negligence has an unusual status in common law, it is inalienable. A contract term that excludes negligence is unenforceable. This is the case even in a negotiated contract where both sides have equal bargaining power. Terms in shrinkwrap EULAs are much harder to enforce.

So why don't we see the law courts clogged up with neligence suits?

There are two reasons, first the 'fit for purpose' clause that vendors insert that attempts to make the user responsible for checking to see if the software will work in the intended application. If I buy a $1000 spreadsheet package, use it to design a nuclear power station and make no attempt to independely check the results it does not make much sense to hold the spreadsheet vendor liable for the melt down.

There are very few cases where a single software bug is the sole cause of an incident. If a virus gets onto your computer and eats all the files it was your decision not to back them up properly.

The second reason there are few negligence cases is that it is unlikely the legal standard for negligence is met in most cases. The legal definition of negligence is now determined by the Judge Hands test which states that negligence has occurred if it was forseable which is defined as being so if the cost of the damage multiplied by the probability of the damage is greater than the cost of preventing it.

The last part, the cost of prevention is where the whole argument breaks down. Microsoft has two testers for every developer and developers are responsible for performing component level tests on the modules they produce. All told five sixths of all the software development resources go into testing. The same ratio is true for pretty much every major vendor.

When a vendor is spending billions on software testing it is pretty difficult to see how a claim for negligence is likely to succeed. The cost of prevention is much gtreater than the foreseable damages.

So if software vendors are to be made liable for bugs we are not talking about negligence, we are inventing some new type of tort with different rules. I don't think that is a good idea.

Before we start trying to transfer liability we need to look for technical measures that are cheap to implement but have a big effect on reducing vulnerability. Using a language like C# or Java that supports managed code and eliminates the possibility of buffer overuns rather than C or C++ for example. The trouble is that converting a program like Word or Sendmail to use managed code is itself a vast expense.

There are some measures that can be taken that do have low cost but deliver a high degree of protection, for example:

  • Software firewalls
  • Least privilege
  • Trustworthy hardware to prevent O/S compromise and protect cryptographic keys
  • Egress filtering of spoofed source address IP packets
  • Reverse firewalls to limit the value of an owned machine as a bot
  • Stripping out executable code from email attachments

The thing is that the software vendors are already implementing the first three measures as aggresively as can be expected. The last three measures are the ones we are not seeing progress on and those are in the power of ISPs rather than the software vendors.