Actually, pardon the pun, but you've really put your finger on the antidote to this whole Total Information Awareness thing; what I call "Mirrored Surveillance".
Mirrored Surveillance is not hard to understand - it's about citizens videoing, recording, naming, shaming and outing authority figures trying to violate our singular and collective rights.
Of course 99% of people will never practice Mirrored Surveillance in any form. But fortunately, only a few guys with balls of steel like this character are required to make the point;
Actually, security is not about technology at all. It's about economics.
We get hung up on the minutia of security, and toss around old chestnuts about obscurity and user responsibility, but that kind of thinking has finally run us aground. It has no future.
At the end of the day, cracking systems is work, and crime is a business. The only systems that are really at risk are the ones that can be exploited profitably in some way, and only in that way.
This means in practice that we don't have to protect all conceivable access points, we really only have to deny an exploiter a profit from their troubles.
If you think about it, there are many very simple and creative ways that you can deny a criminal a profit without in fact limiting your own utility. For example, I can create a throw-away instance of a machine on a grid that will do everything I want it to do, and then when it's done, I simply shut it down. So a black hat has maybe 20 minutes to crack my system and exploit it to hell and gone before I throw it away.
Now maybe I've got the entire credit card database for the world's largest bank on that machine, or maybe not - the bad guy has to *pay up front* to find out, and he has to move fast. Even if he's made a good bet, he can still be denied his profit because I might shut down before he's found what he needs. He only has to try this a few times before he works out his ROI from attacking me is a big fat negative number, and gives it up as a bad joke.
Who cares that this is "security by obscurity?" That's just a slogan. What I'm saying is that we are thinking of security in the old Cold War way, Spy vs Spy, treating it like it was an arms race. Well, nobody ever wins an arms race except the arms merchants.
We need to stop obsessing about plugging holes. By all means, we should do the obvious. But flip their ROI and it's all over. This is the universal vulnerability of all computer crime.
Slashdot Mirror
Actually, pardon the pun, but you've really put your finger on the antidote to this whole Total Information Awareness thing; what I call "Mirrored Surveillance".
Mirrored Surveillance is not hard to understand - it's about citizens videoing, recording, naming, shaming and outing authority figures trying to violate our singular and collective rights.
Of course 99% of people will never practice Mirrored Surveillance in any form. But fortunately, only a few guys with balls of steel like this character are required to make the point;
http://www.liveleak.com/view?i=133_1210305250&p=1
Note how this INS Brownshirt wilts and finally bends the knee as the awesome power of the Bill of Rights is unflinchingly applied to her.
Actually, security is not about technology at all. It's about economics.
We get hung up on the minutia of security, and toss around old chestnuts about obscurity and user responsibility, but that kind of thinking has finally run us aground. It has no future.
At the end of the day, cracking systems is work, and crime is a business. The only systems that are really at risk are the ones that can be exploited profitably in some way, and only in that way.
This means in practice that we don't have to protect all conceivable access points, we really only have to deny an exploiter a profit from their troubles.
If you think about it, there are many very simple and creative ways that you can deny a criminal a profit without in fact limiting your own utility. For example, I can create a throw-away instance of a machine on a grid that will do everything I want it to do, and then when it's done, I simply shut it down. So a black hat has maybe 20 minutes to crack my system and exploit it to hell and gone before I throw it away.
Now maybe I've got the entire credit card database for the world's largest bank on that machine, or maybe not - the bad guy has to *pay up front* to find out, and he has to move fast. Even if he's made a good bet, he can still be denied his profit because I might shut down before he's found what he needs. He only has to try this a few times before he works out his ROI from attacking me is a big fat negative number, and gives it up as a bad joke.
Who cares that this is "security by obscurity?" That's just a slogan. What I'm saying is that we are thinking of security in the old Cold War way, Spy vs Spy, treating it like it was an arms race. Well, nobody ever wins an arms race except the arms merchants.
We need to stop obsessing about plugging holes. By all means, we should do the obvious. But flip their ROI and it's all over. This is the universal vulnerability of all computer crime.