Chad Perrin examines what passes for security in the "post-9/11 world" and finds it lacking, particularly as it affects users and cybercrime. Instead of security awareness, he sees security alarmism on the rise, and along with it, the threat of innocent people being persecuted and actual criminals slipping through the cracks.
In what many call the "post-9/11 world," the word "security" often has new and dramatic meaning. This is also the post-SQL-Slammer world, and a world in which identity fraud via digital means is a constant bugbear lurking in the dark shadows of our minds every time we open up a Web browser.
Heightened security awareness is a good thing, and I support efforts to increase such awareness. A lot of what I do for a living involves trying to improve others' security awareness, and I write articles like, "Has security grown beyond DIY?" and "Making encryption popular" in part, to help improve the security awareness of my readers.
This increased attention on the word "security" and its connotations has not at all improved security awareness, though. Much of it is nothing more than security alarmism, doing the Chicken Little dance and squawking that the sky is falling. Much of it is the result of many uncoordinated, independent attempts to exacerbate a climate of fear that supports someone's agenda -- an agenda that, often, has little to do with improving any actual security (with the possible exception of some politician's job security).
The world needs a wake-up call.
The growing legal necessity for strong IT security is, in some ways, a good thing. It's good that corporations are increasingly required to inform their customers when private customer data has been compromised in a security breach, for instance. It's also good that, when a security breach leads to material losses on the part of a third party, that third party has legal recourse in a court of law if the breached party was negligent.
This section of the article is, unfortunately, quite short.
There's a dark side to the growing legal focus on security, too. Germany, England, and even some jurisdictions in the United States have all taken steps to outlaw security tools and even largely innocuous network utilities:
- Germany bans so-called "hacking tools"
- UK government seeks to outlaw distribution of many network tools
- North Dakota judge rules that
host -lcommand constitutes "hacking"
Under these provisions it becomes an offense to create, use or distribute so-called "hacking tools." Critics point out that many of these tools are used by system administrators and security consultants quite legitimately to probe for vulnerabilities in corporate systems.
Obtaining, adapting, supplying or offering to supply tools such as Wireshark would likewise be above board. But distributing such dual-use tools remains an offence, to the chagrin of security experts.
In the judgment (which was prepared by the plaintiff's counsel and sent to the judge), the use of the "host -l" command is tantamount to computer hijacking and hacking.
This, however, is only the tip of the iceberg. There is much worse in store for us all.
What do you think the real effect was of the Napster case? Do you think it helped "the artists?" Think again. The truth is that it has paved the way for ever-more draconian restrictions on how you may use your computer, including limiting the way you are allowed to download software -- limits that may interfere with your ability to verify that you're getting a valid, safe copy of the software. The example of the Napster case set the stage for the eventual attacks on BitTorrent trackers and, while BitTorrent itself is not designed particularly with this use in mind, the distributed downloading model used by BitTorrent offers tantalizing glimpses of potential future file verification by way of emergent reputation systems.
Considering you can now be convicted of computer crimes just for using
host -l in North Dakota, it should come as no surprise that the FBI started charging people with kiddie porn for visiting a URL the FBI set up. Think about the implications of that for a moment: you could, conceivably, click on a link that was labeled, "Click Here for Antique Furniture Sale,"and end up on a sex offenders registry. The FBI has reportedly taken down the entrapment "honeypot" -- but not before the reputations and careers of supposed "offenders" may have been destroyed.
Another frightening possibility is that neighbors piggybacking off your wireless network might be downloading kiddie porn, engaging in online "terrorist" activities, or otherwise behaving in a legally risky manner -- and you might take the blame. If you have an unsecured or vulnerable network service running on your wireless network, if you've misconfigured your wireless access point, if you have an unsecured wireless network, or if someone has cracked any encryption on your network, you may suddenly find yourself the subject of an investigation with someone else's incriminating files stored in a well-hidden directory on one of your computers.
A modicum of imagination is all it takes to realize some of the disturbing possibilities that might arise regarding Deb Shinder's "10 ways you may be breaking the law with your computer."
Now consider the fact that malware hidden by rootkits on an infected computer may actually mean that crimes are really originating from your own computer, and you probably wouldn't even know it if you aren't borderline paranoid about computer security. How do you prove you aren't the perpetrator when an attack on someone else's computer actually originated from your own computer?
The more alarmist our society's attitude toward matters of security, the worse it will get for the innocent. Being accused of a crime will become more common and less dependent on hard evidence; clearing your name will become more difficult; the motivation to use others' networks for any questionable activities will grow, thus putting unconnected people at risk; restrictions on legitimate activities because they are superficially similar to illegal activities will become more intrusive and limiting. Just consider how much more difficult it is becoming to make backups of software, music, and video media on commercial operating systems -- undermining the doctrine of fair use, a long-standing court precedent that protects the rights of consumers to actually derive value from what they've purchased.
The value of "security" is dubious when it is purchased at the cost of the safety of the people whose security is meant to be protected. When the innocent, and the innocents' legitimate activities, are restricted and even persecuted in the pursuit of security, we have to wonder what it is we're trying to secure. The phrase "burn the village to save it" may come to mind.
There are those who would argue that one wrongly convicted innocent is an acceptable loss when a hundred, or even perhaps just ten, guilty criminals are brought to justice. If that's how you feel, the previous paragraph may not worry you much. If it does worry you, though, it's something to think about as you consider the consequences of security alarmism, as opposed to real security awareness. If not, feel free to ignore it. There's still another matter to consider, however -- the signal to noise ratio.
As the opportunities for investigations increase, as the bar for consideration in criminal investigations continues to drop -- as more and more people end up on law enforcement radar as potential suspects in unconfirmed information technology related crimes -- the incidence of actual crimes will become increasingly difficult to pick out of the glut of data.
The end result is, as more resources are wasted on investigations of dubious evidence (that a few years ago would have been deemed too weak to bother examining), the fewer resources that can be effectively brought to bear on the most obvious, egregious examples of malicious security cracking and other information-technology crimes. As the net is cast wider, it gets more difficult to sift through everything you catch to determine what deserves closer examination. It's a bit like bold font emphasis in text -- if you emphasize everything, you end up with effective emphasis of nothing.
Increasing pressure to "do something" about computer crime may lead to increasingly sloppy, decreasingly accurate investigation tactics, in the eagerness to satisfy superiors or even meet quotas. By analogy, Aleksandr Solzhenitsyn said of the NKVD in the Soviet Union:
They merely had over-all assignments, quotas for a specific number of arrests. These quotas might be filled on an orderly basis or wholly arbitrarily. In 1937 a woman came to the reception room of the Novocherkassk NKVD to ask what she should do about the unfed unweaned infant of a neighbor who had been arrested. They said: "Sit down, we'll find out." She sat there for two hours -- whereupon they took her and tossed her into a cell. They had a total plan which had to be fulfilled in a hurry, and there was no one available to send out into the city -- and here was this woman already in their hands!
You might think that sort of behavior is impossible in the law enforcement agencies of an "enlightened" western democracy, but the truth is that the structure of a government like that of the United States simply makes that behavior less common, and easier to correct with the help of legal doctrines such as the power of the courts to issue a Writ of Habeas Corpus (as long as a Writ can still legally be issued; even that is now in question). It does not make such behavior impossible in the first place.
This is why recognizing the difference between security awareness and security alarmism is so important: when the need to do something overwhelms the need to do the right thing, the right thing often does not get done at all. Security suffers, and the actual malicious security crackers easily slip through the cracks, camouflaged by the teeming mass of law-abiding citizens whose legitimate activities increasingly take on a suspicious appearance in the eyes of those who are oversensitive to potential signs of wrongdoing.
When we let security alarmism overtake security awareness, only the bad guys win.
Promote security awareness
An important component of promoting security awareness is working to suppress security alarmism, to discourage hypersensitivity to the superficial signs of security threats in favor of a reasoned concern for the actual risks we face and how best to respond to them. If you're a network administrator, a security professional, a law enforcement agent, or even just a voter with a willingness to try to affect public policy, it's important to keep in mind the dangers of security alarmism. It's imortant to promote security awareness over security alarmism in more mundane settings, as well, such as in the server room and the corporate boardroom.
Don't let fear stand in the way of security. Promote security awareness, not security alarmism.