[Cryptography] the hierarchy of cluelessness

John Denker jsd at av8n.com
Thu Dec 11 08:01:40 EST 2014 

On Tue, Dec 9, 2014 at 2:55 PM, <dan at geer.org> wrote:

>> "Banks Dreading Computer Hacks Call for Cyber War Council"
>> Bloomberg, July 8, 2014
>>
>> www.bloomberg.com/news/print/2014-07-08/banks-dreading-computer-hacks-call-for-cyber-war-council.html

Specifically, they are calling for a *government-industry* cyber war council

On 12/10/2014 08:49 AM, John Ioannidis asked:

> Are these people that clueless (which makes me even more worried about the
> vulnerability of our financial systems) [...] ?

Executive summary:
 a) Yes, the banks are infinitely clueless... but we knew that already.
 b) The government is infinitely clueless.  
 c) Most of the bank customers are infinitely clueless.
 d) Other industry sectors are just as clueless.
 e) The mainstream media are clueless.
 f) The bankers blame the security geeks (i.e. us) for not providing
  them with easy-to-use tools.

Discussion:

Evidence for point (b):

 The NSA knew, or should have known, that what they were
 doing was wrong, but they did it anyway.  Consider the
 contrast:

 ++ The secrecy should be in the keys.  In contrast, the
  method "should not require secrecy, and it should not
  be a problem if it falls into enemy hands."
                     -- Auguste Kerckhoffs

 ++ "The enemy knows the system."
                     -- Claude Shannon

 ++ "In the long run it is more important to secure one's own 
  communications than to exploit those of the enemy."
                     -- Frank Rowlett

 -- "Let's create a situation where our friends can be spied
  upon more easily than our enemies."
                     -- NSA policy for 40+ years

Evidence for point (a):

 The fact that the banks would turn to the clueless government
 for help proves the banks are infinitely clueless ... but we
 already had plenty of other ways of proving that.

 Example:  The following email recently came to my attention.
    https://www.av8n.com/security/new-website.eml

 I called the bank.  The conversation went something like this:
  jsd:  This looks like a phishing attack.  
  bank: No, it is completely secure, because we sent it, and 
    our IT department is super-careful about things like that.
  jsd:  The little old lady who received this email, how is
    she supposed to know you sent it?
  bank: Because it's from us.
  jsd:  But how is she supposed to know that?  By sending this
    email, you are training your customers to be victims.  What
    if she got two emails on the same day, one from you and one
    from North Korea, which one should she trust?
  bank: She should trust the one from us.
  jsd:  And how is she supposed to know which is which?
  bank: It says right at the top it's from us.
  jsd:  And how hard do you think it is for the bad guys to
    forge that?
  bank: But the point is, we would never direct you to an
    insecure website.  It says so right in the email, at
    the top and the bottom.  We have super-strict rules and
    procedures about that.
  jsd:  Well, this email violates your own rules bigtime.  It
    directs users to two different web sites not your own, a
    third party and a fourth party.  The mail itself emanated
    from a fifth party.  You keep saying you sent it, but in
    fact you didn't.
  bank: But those web guys are under contract to us.
  jsd:  You know that, but the little old lady doesn't.  The
    bad guys could be preparing almost-identical emails right
    now, and none of your customers would be able to tell the
    difference.  You're training your customers to be victims.
  bank: This email is secure, because we sent it.
  jsd:  Aaaaarrrrrgh!

 They guy said he would pass my comments on to management.  I
 know this had no effect, because a couple of weeks later the
 bank sent out another round of equally-phishy emails.

Further evidence for (a), (b), (c), and the interaction between them:  

 The government has imposed voluminous regulations on the banks.
 A lot of stuff that used to be punishable by revoking your 
 banking license is now a felony.  There are also regulations 
 that require elaborate encryption of customer data.  The regs
 are so cumbersome that bankers find them hard to handle, and 
 most customers find them impossible to handle.  The result is
 that bankers have completely-insecure personal hotmail accounts
 that they use to communicate with customers.  After the deal
 has been worked out, they cut-and-paste it into the official
 bank system.  Ta Da!  Problem "solved".

Example of point (e):

 Today the Gomorrah Post ran a story about the Sony hack:
   http://www.washingtonpost.com/business/economy/sonys-hacked-e-mails-expose-spats-director-calling-angelina-jolie-a-brat/2014/12/10/a799e8a0-809c-11e4-8882-03cf08410beb_story.html

 It says in part:

> The company has endured a wave of criticism — bordering on ridicule —
> in recent days for a reportedly lax approach to cybersecurity. In one
> widely mocked remark, Sony’s top information security official told
> CIO magazine in 2007 that it was “a valid business decision” to
> accept some cybersecurity risk because preventing an attack could be
> more expensive than simply enduring it.

 It seems to me that the CIO's point is absolutely valid.  There
 is a dial to adjust how much risk you want to accept, and one
 could argue that Sony set the dial in the wrong place, but one
 should not "ridicule" the idea that such a dial exists.

 The hypocrisy is stunning, given that Post itself has been hacked:
   https://www.google.com/search?q=%22washington+post+site%22+%22hacked%22

Remark on the interaction between (a), (b), (c), and (f):

 The US black budget is on the order of 50 billion dollars 
 per year.  AFAICT virtually all of it is spent on offense,
 i.e. weakening perceived enemies.   Department of "Defense"
 my ass.  The overall "defense" budget is on the order of a
 trillion dollars per year.  The /profit/ in the US financial
 sector alone is something like 1.7 trillion dollars per year
 ... roughly 1/10th of the GDP.

 Imagine what would happen if the feds, the banks, Sony, 
 and other players were to invest some of their money by
 paying a few geeks to develop more easily-usable tools.
 You know, actual /defense/ as opposed to offense.

One more point:  The idea that China might try to pillage US
trade secrets should come as a surprise to nobody.  The US
did exactly the same thing to Britain 200 years ago.  See e.g.
  http://www.newyorker.com/magazine/2014/06/09/spy-vs-spy-3

More information about the cryptography mailing list