Tuesday, February 19, 2008

Don't make it too secure

Everyone is agreed that securing the Internet is hard. So why do we have to spend so much time worrying about the complaints of people who say 'don't make it too secure'?

This question was raised during the cryptowars. During the 1990s there was a determined campaign led by Louis Freeh to make non-government use of strong cryptography illegal in the US. As a direct result, more time tended to be spent making cryptographic protocols 'Freeh-proof' than making them usable by ordinary people. We still live with the consequences today.

We risk repeating this mistake today as some people assert that making technology RIAA-proof is more important than making it secure.

Deployment of cryptography increases the power of the deployer at the expense of the attacker. But certain types of attack may be socially desirable, possibly even sanctioned in the case of a whistleblower revealing criminal behavior.

Sometimes its the bad guys who deploy security to enhance their power at the expense of the good. The technology is no better at distinguishing good intent from bad than people are.

Deployment of perfectly secure trustworthy computing could well tip the balance of power in favor of copyright holders, allowing them to effectively create perpetual copyrights through technical means, eliminating provisions for fair use and reversion to the public domain. Whether this goal is or is not desirable it is unreachable. In order to make profis, copyright holders must be able to reach an audience of millions and copyright enforcement is a 'break once run anywhere' problem. We simply do not have the technology available to enforce controls on content that may be accessed from a billion plus endpoints. Nor is this ever likely to be the case.

Nor should trustworthy computing be considered the principal concern for covert whistleblowers. The technology that is most likely to affect them are not technical measures such as trustworthy computing that might be employed to enforce effective access control but fingerprinting and watermarking technologies that might be used to identify the source of a leak and thus strengthen accountability controls.

If we are going to get a handle on the current epidemic of data breaches we are going to have to change the way we secure sensitive information to make the accidental leak less likely to occur.

To date I have received five breach notifications, in each case the cause of the leak was a lost or stolen laptop containing confidential data. Whole disk encryption is currently the most easily deployed fix but its a blunt instrument and one that solves the measurable problem rather than the actual one. Laptops are relatively valuable, the loss of one typically stops the employee working, as a result losses are typically reported. The same is not true of USB thumb drives which are frequently purchased by the employee rather than the company, typically provide no built in encryption system (or at least none the user is likely to use) and are rather more easily lost.

If we are going to start getting a handle on the problem of lost client confidential data we need to move the protection to the data. If we are going to protect the whole data lifecycle we are going to have to deal with the problem of ensuring that the operating system running on the machine is the one the owner actually intends to run on the machine. In order to do that we need to have a trustworthy boot process that guarantees that the right O/S is loaded and a trustworthy means of certifying that the right O/S is actually running. And those are by defintion trustworthy computing technologies.

No comments: