Emergent Chaos

So, Adam retweets a hysterical reference to a viral email about an absolute genius of a Xmas light display made to look like an accident with a ladder, and the hapless homeowner left hanging from the gutter of his house.
The email explains that the display was taken down after two days in large part because so many people were stopping to help, in some cases at risk to themselves.
After pausing a moment to reflect on the evil genius behind this idea, I immediately wondered how the willingness of passers-by to assist might vary according to the amount of traffic on the road passing the house. The notion, exemplified in the infamous Kitty Genovese murder, is that the willingness of people to “get involved” decreases as the (individually-perceived) number of possible interveners increases. If a passer-by knew the route was well-travelled, she would (so one theoretical formulation goes) be less likely to stop, whereas on an infrequently-used byway, she would be more likely to assist. (I later realized that the “cul-de-sac”scenario is more complex, in that drivers/walkers on such a road are much more likely to (think they) know the victim AND to think that their action or inaction will become known by others).
After having these thoughts, I was left chuckling at myself. Would most sane people have analyzed a prank in these terms? Maybe it was because I was reading Luce and Raiffa before breakfast…

In “An Unstoppable Force Meets…” Haseeb writes about “we have just witnessed a monumental event in the history of online poker – the entrance of Isildur into our world of online poker.” Huh? Really? The post is jargon packed, and I’m not a poker player, but apparently this Isildur character has slaughtered all the best online players in the world by being “hyperaggro:”

About a week later I was sitting at tables without any action when Isildur showed up at one of my 25/50 NL tables. I was bored and willing to play anything, so when he offered to play 6 tables (although usually I max out at 4), I decided to take him up on his offer and play a serious NLHE HU match for the first time in a long while. As the match progressed, all of what I’d heard about him being hyperaggro and barrelly checked out, but as I watched the lines he took to bluff, valuebet, and the way he reacted to my betting patterns, he seemed uncannily perceptive. Nevertheless, within the first hour or so I had won about 30k and was feeling pretty confident. He sat out on all of the tables and I assumed that the match was over and was about to check out. But about a minute later he said “brb,” and so I decided to wait for him and continue the match.

One idea, seems obvious to me, is that Isildur is collaborating with the servers to know what everyone’s cards are. Maybe the server operators are involved, maybe not.

Either way, the post is an entertaining read.

Untitled photo by allfangs and elbows

There are obviously a large set of political questions around the 700+ billion dollars of distressed assets Uncle Sam plans to hold. If you care about the politics, you’re already following in more detail than I’m going to bother providing. I do think that we need to act to stem the crisis, and that we should bang out the best deal we can before the rest of the banks in the US come falling like dominos. As Bagehot said, no bank can withstand a crisis of confidence in its ability to settle. I think that knowing how distasteful and expensive it is, and with far better things to do with the $5,000 or so it will personally cost me as a taxpayer. (That $2,300 figure is per person.) I also think that knowing how poorly this administration has done in handling crisis from 9/11 to Katrina, and how poorly it does when forced to act in a moment of crisis. (Sandy Levinson has some interesting comments at “A further Schmittian (and constitutional?) moment.”) Finally, we are not bailing out the banks at the cost of a free market in banking. We gave up on a free market in banking in 1913 or so, after J.P. Morgan (not his eponymous bank) intervened to fix the crises of 1895 and 1907.

What I did want to look at was the phrase “more regulation,” and relate it a little to information security and risk management.

US banks are already intensely regulated under an alphabet soup of laws like SOX, GLB, USA PATRIOT and BSA. They’re subject to a slew of additional contractual obligations under things like PCI-DSS and BASEL rules on capital. And that’s leaving out the operational sand which goes by the name AML.

In fact, the alphabet soup has gotten so thick that there’s an acronym for the acronyms: GRC, or Governance, Risk and Compliance. Note that two of those three aren’t about security at all: they’re about process and laws. In the executive suite, it makes perfect sense to start security with those governance and compliance risks which put the firm or its leaders at risk.

There’s only so much budget for such things. After all, every dollar you spend on GRC and security is one that you don’t return to your shareholders or take home as a bonus. And measuring the value of that spending is notoriously hard, because we don’t share data about what happens.

Just saying that measurement is hard is easy. It’s a cop out. I have (macro-scale) evidence as to how well it all works:

• Bear Stearns
• Fannie Mae
• Freddie Mac
• Lehman Borthers
• AIG
• Washington Mutual
• Wachovia
• (Reserved)

I have a theory: in competition for budget within GRC, Governance and Compliance won. They had better micro-scale evidence as to their value, and that budget was funded before Risk was allowed to think deeply about risks.

There’s obviously immediate staunching to be done, but as we come out of that phase and start thinking about what regulatory framework to build, we need to think about how to align the interests of bankers and society.

If you’d like more on these aspects, I enjoyed Bob Blakley’s “Wall Street’s Governance and Risk Management Crisis” and
Nick Leeson, “The Escape of the Bankrupt” (via Not Bad for a Cubicle. Thurston points out the irony of being lectured by Nick “Wanna buy Barings?” Leeson.)

I’m not representing my co-author Andrew in any of this, but at least as I write this, his institution remains solvent.

GetAFreelancer.com has a job for you if you need some high-paid work — write a remote keylogger.

Here are the project requirements:

We need a keylogger that can be installed remotely.

Description:
The main purpose is that the user A can send an email with a program to install (example: a game or a funny program) to the person B. When the person B install the program on his computer, he is installing at the same time an invisible keylogger on his computer. Then the person A is receiving the report by email of every keystrokes that the person B is doing on his computer.

They only want to pay $250 to $750, which seems fair given that the requirements don’t include undetectability. For that low a contract price, it seems only fair to give the victim a fighting chance.

Photo “Keylogger 1.0 Beta” by soulrift.

So there’s some great discussion going on in the comments to “Certifiably Silly,” and I’d urge you to read them all. I wanted to respond to several, and I’ll start with Frank Hecker:

Could we take the cost issue out of this equation please … [Adam: I'm willing to set it aside, because the conversation has spiraled.]

The real questions as I see it are

1) Leaving aside the issue of cost, what are the pros and cons of introducing self-signed certificates into the current browser model of SSL?

2) If the advantages of introducing self-signed certificates into this model outweigh the disadvantages, what is the best approach (from a technical and user experience perspective) to introduce self-signed certificates into the current SSL model?

3) If there is a good technical/UX approach to introduce self-signed certificates into the current SSL model, what is the likelihood of such an approach being adopted on a universal basis (i.e., by all browser vendors), and how might this be made more likely?

I’d argue that these are the wrong questions: the real questions underlying our disagreement are probably “do certification authorities do what they’re purported to do, and (if we agree they don’t), what do we do about it?”

I think we do two things: One, we stop investing so much in them, and second, we investigate the heck out of the alternatives, including persistence and organizational CAs, including CAs run by groups like the American Bankers Association. These are both in direct contradiction of the CA business model, and so they’ve been stillborn.

I’m not going to claim that either will have better user experience than the current SSL model, and that’s a low bar.

So I’m wrong, the issue isn’t really self-signed certs, it’s the CA model.

There were another points raised, by both Frank and Andy Steingruebl about my bookmark model, which is that it breaks PayPal. There are two ways to read this model: One is “always use bookmarks.” the other is “never click on a link in email.” I intended the first, the second is unclear, given the prevalence of webmail. Perhaps we could address this by having merchants send transactions to PayPal, and then if I choose to login via a bookmark, I get a list of pending activity.

The final point that Andy raised is organizations with lots of web sites. A reasonable point, and one I’m not sure how to address. Part of how I’d address it is that most of us don’t see all of those brands. I would be happy to see some of the brand profusion go away, which of course, doesn’t mean it would happen. (I consulted for a bank for several years, I can’t keep track of all the brands that they present around my retirement accounts.) If I can’t keep track of them when they’re ‘not’ security critical, I surely can’t keep track when they are, and it is unreasonable to expect me to.

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers.

…almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal.

There are all sorts of use cases where $29 is not chump change. For example, I own about 8 domains, that’s $240 in “security taxes.” People in the third world would like to communicate securely. But most importantly, the idea assumes that it’s ok to have an infrastructure which is mostly unencrypted, and we may only trust encryption only after the certificate priests bless it. When I wrote about turning on “opportunistic encryption for PostFix,” my goal was encrypting all email. There’s no need for a CA. The threat model is passive adversaries, and there are lots of those.

My company is a major target of phishing, and as such we’ve spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at www.thepaypalblog.com), which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there’s no single “silver bullet”, and 3) that what we describe as “safer browsers” such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors.

You can’t always get what you want. Really, most people have little understanding of the issues. I think this is in large part because we’ve been talking down to them, in some part because the issues are complex, and in some part because it’s not important enough for them to want to become educated. It’s especially not important enough in light of debates like this one. We should try (sometime) to give people what they need.

I think we’d agree that the vast majority of users want, need and deserve protection that’s as simple and effective as we can make it. I don’t think blocking self-signed certs is a large part of that goal.

I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice – if they are, there’s typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones.

When viewed through this lens, the changes to the Firefox user experience for self-signed certificates makes perfect sense.

Even viewed through the lens presented, the self-signed experience doesn’t make perfect sense, unless you start with the assumption that a $29 SSL cert has some useful security value. I don’t believe it does. What it does is get rid of the ’self-signed’ warnings. There are cheaper and easier ways to do that. Most of the certificates out there are signed by a company that the relying consumers have never heard of. There’s just not that much verification that can be done for $29. Today, anyone who’s broken into a company’s mail server can buy a fake cert with a stolen credit card.

Now, Michael’s employer is under massive attack. I am sympathetic to their desire to improve things, and I applaud a lot of things that they do. For example, their use of one time password tokens is great. I also think there’s great value to pushing people to recent browsers.

At the same time, it’s sensible for them to want to shift risk-part of me even welcomes the risks and attacks hitting the CAs. But I think that imposing yet another security tax, based on a static analysis of attackers, and some certificate authority pixie dust isn’t going to help things for very long.

And given the very real costs and the very fuzzy benefits, I think that breaking self-signed certificates is the wrong approach. What’s the right approach? I wrote “Preserving the Internet Channel Against Phishers” three years ago. I think that the advice isn’t silly at all.

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle:
Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game?

The paper discusses a game that Poe describes in The Purloined Letter. In it, the Misleader selects a number of marbles, coins, or whatever (grab them in your hand), and the Guesser guesses if the number is even or odd. Poe opines that it’s a game of skill rather than luck. (Read the article for more detail, or even better, the primary source.)

If you look at it from a simple game-theoretic viewpoint, the Guesser and the Misleader have equal odds. They might as well be flipping coins. However, there is a sense in which it’s a game of skill.

Our intrepid mathematicians showed that in their construction of the game, the guesser has a slight advantage — 3% — which is enough to get Las Vegas interested. They also examined modifications of the game and after several modifications brought it back in line with the predictions of game theory.

This brings up a number of interesting things to think about, including that Poe was on to something ahead of his time, as usual. Funny how that wisdom was hiding in plain sight. I wonder if he planned it.

Chris’s beach reading recommendations
John Maynard Smith, Evolution and the Theory of Games
James S. Coleman, Foundations of Social Theory
Ken Binmore, Natural Justice

In “Crowd control at eBay,” Nick Carr writes:

EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to its feedback system, setting up more “non-public” communication channels and, most dramatically, curtailing the ability of sellers to leave negative feedback on buyers. It turns out that feedback ratings were being used as weapons to deter buyers from leaving negative feedback about sellers.

He goes on to rail against the usefulness of feedback loopss:

As these sites grow, keeping them in line requires more rules and regulations, greater exercise of central control. The digital world, it seems, is not so different from the real world.

However, he doesn’t question EBay’s central decision. If the goal is to control retaliatory feedback, then require all feedback be given within N days (N might vary for transaction types, international shipping, etc), and don’t reveal the feedback until both buyer and seller have finalized what they want to say.

(Personally, I think that some structure in the feedback–was the item as described? was it shipped quickly and as requested? was the interaction business-like, chatty, or rude? could enhance things a lot, as would displaying the value of the transactions. But that’s an aside.)

What’s important is that EBay is replacing a transparent and manipulated system with one that’s going to be worse for their customers, and more expensive to operate. It will be interesting to see what emerges from this. Will a worse feedback system be enough to overcome the network effects and allow a strong competitor to emerge?

Thanks to Nicko van Someren for the pointer.

Why is it we easily admit that spammers are people smart enough to run massive bot nets, design custom malware, create rootkits, and adapt to changing protection technologies but we still think that they’re unable to write a pattern to match “user at domain dot com”?

Kudos to the first person who puts such a pattern in the comments below.