"SSL stops credit card sniffing" is a correlation/causality myth

Ian G iang at systemics.com
Wed Jun 1 11:24:07 EDT 2005 

On Tuesday 31 May 2005 23:43, Perry E. Metzger wrote:
> Ian G <iang at systemics.com> writes:

Just on the narrow issue of data - I hope I've
addressed the other substantial points in the
other posts.

> > The only way we can overcome this issue is data.
>
> You aren't going to get it. The companies that get victimized have a
> very strong incentive not to share incident information very
> widely.

On the issue of sharing data by victims, I'd strongly
recommend the paper by Schechter and Smith, FC03.
" How Much Security is Enough to Stop a Thief?"
http://www.eecs.harvard.edu/~stuart/papers/fc03.pdf
I've also got a draft paper that argues the same thing
and speaks directly and contrarily to your statement:

Sharing data is part of the way towards better security.

(But I argue it from a different perspective to S&S.)


> 1) You have one anecdote. You really have no idea how
>    frequently this happens, etc.

The world for security in the USA changed dramatically
when Choicepoint hit.  Check out the data at:

http://pipeda.blogspot.com/2005/02/summaries-of-incidents-cataloged-on.html
http://www.strongauth.com/regulations/sb1386/sb1386Disclosures.html

Also, check out Adam's blog at

http://www.emergentchaos.com/

He has a whole category entitled Choicepoint for
background reading:

http://www.emergentchaos.com/archives/cat_choicepoint.html

Finally we have our data in the internal governance
and hacking breaches.  As someone said today, Amen
to that.  No more arguments, just say "Choicepoint."

> 2) It doesn't matter how frequently it happens, because no two
>    companies are identical. You can't run 100 choicepoints and see
>    what percentage have problems.

We all know that the attacker is active and can
change tactics.  But locksmiths still recommend
that you put a lock on your door that is a) a bit
stronger than the door and b) a bit better than your
neighbours.  Just because there are interesting
quirks and edge cases in these sciences doesn't
mean we should wipe out other aspects of our
knowledge of scientific method.

> 3) If you're deciding on how to set up your firm's security, you can't
>    say "95% of the time no one attacks you so we won't bother", for
>    the same reason that you can't say "if I drive my car while
>    slightly drunk 95% of the time I'll arrive safe", because the 95%
>    of the time that nothing happens doesn't matter if the cost of the
>    5% is so painful (like, say, death) that you can't recover from
>    it.

Which is true regardless of whether you are
slightly drunk or not at all or whether a few
pills had been taken or tiredness hits.

Literally, like driving when not 100% fit, the
decision maker makes a quick decision based
on what they know.  The more they know, the
better off they are.  The more data they have,
the better informed their decision.

>    In particular, you don't want to be someone on who's watch a 
>    major breech happens. Your career is over even if it never happens
>    to anyone else in the industry.

Sure.  Life's a bitch.  One can only do ones
best and hope it doesn't hit.  But have a read
of S&S' paper, and if you still have the appetite,
try my draft:

http://iang.org/papers/market_for_silver_bullets.html

> Statistics and the sort of economic analysis you speak of depends on
> assumptions like statistical independence and the ability to do
> calculations. If you have no basis for calculation and statistical
> independence doesn't hold because your actors are not random processes
> but intelligent actors, the method is worthless.

No, that's way beyond what I was saying.

I was simply asserting one thing:  without data, we do
not know if an issue exists.  Without even a vaguely
measured sense of seeing it in enough cases to know
it is not an anomoly, we simply can't differentiate it
from all the other conspiracy theories, FUD sales,
government agendas, regulatory hobby horses,
history lessons written by victors, or what-have-you.

Ask any manager.  Go to him or her with a new
threat.  He or she will ask "who has this happened
to?"

If the answer is "it used to happen all the time in
1994 ..." then a manager could be forgiven for
deciding the data was stale.  If the answer is
no-one, then no matter how risky, the likely
answer is "get out!"  If the answer is "these X
companies in the last month" then you've got
some mileage.

Data is everything.

iang
-- 
Advances in Financial Cryptography:
   https://www.financialcryptography.com/mt/archives/000458.html

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list