Monday, January 08, 2007
From the Island of Lost Posts: Our Failed Net Security Model
by Tom Bozzo
A follow-up of sorts ran yesterday (*): news flash, the 'botnets' (**) that churn out spam and hunt for valuable personal data are a big and growing threat to security on the 'nets. The lede is buried in the last quarter of the article:
The computer security industry mostly sells its products on a subscription basis. From one perspective — the security software firms' — this makes sense in that it aligns the revenue stream with the ongoing costs of modifying software to meet current threats.
From another, it makes no sense at all. As with any decentralized, price-based incentive system, some people will fail to take the hint, rationally or otherwise, by deliberately seeking to save a buck or two on the purchase price of the software or letting their subscriptions expire. Software vendors may actually make things worse by offering "incentives" to resubscribe in the form of totally disabling the software when the subscriptions expire — I discovered over vacation (sic) that the third-party firewall software on my mother's Windows PC had turned itself off and not had the courtesy of turning the Windows built-in firewall on, exposing the computer to the naked Internet for some unknown amount of time. So, the economic model for network security software all but ensures an adequate supply of undefended computers for spammers and fraudsters to compromise.
(As an aside, a pet peeve of mine is the economically-minded sometimes forgetting that extra-market solutions such as regulatory mandates are useful where it's socially costly for people to opt to ignore a price-based incentive, including the significant subspecies of the the well-off ignoring the incentive. The slow adoption of energy-efficient light bulbs also seems to provide a strong natural experiment suggesting that people are bad at looking past shelf prices to the fuller cost consequences of their decisions. This is not to say that price-based incentives aren't an imporant policy tool, but they're not the end-all.)
In addition to supplying net criminals with marks, the way computers are connected to the Internet go a long way to reducing the effectiveness of a hypothetical immune system for the 'net. Firewalls foreclose some means of infecting computers, though by no means all; it stands to reason that some botnet nodes are happily chugging away behind unsuspecting users' security barriers. Meanwhile, they would prevent some means by which beneficial software might inspect computers for infections.
The upshot is that the market model for net security is a failure, and what is needed is something more like biological immune systems, particularly in the sense of not depending on the behavior of individual network nodes to keep the whole organism relatively healthy. It's hard to see how some sort of mandated authentication system that would allow 'immune system' software to work wouldn't be part of the solution (see, e.g., Vernor Vinge's Rainbows End for a SF perspective). Such systems have been deprecated, legitimately, as mainly being vectors for intellectual property holders to run roughshod over the creative commons; they're also unlikely to be totally secure and will come with serious privacy concerns (see Vinge on both counts). But the current system features many of those costs already, and foregoes some of the benefits.
-------------------------
(*) Strictly speaking, this is a more current issue than typical Island of Lost Posts fare.
(**) Computers compromised by viruses and other malware to do malefactors' bidding.
A month ago, the NYT ran an article (now in Times Select jail) that the econosphere, far as I can tell, basically ignored: the news flash, 'spam' is getting a lot worse. Interestingly, the methods used to defeat spam filters materially alter the economics of spam. When spammers need to send a lot more data to confuse the filters, it adversely shifts the cost side of the equation of minuscule response rates from suckers and infinitesimally small bandwidth costs. The spammers' solution has been bandwidth theft, going to show how important externalizing costs are to some business models.
A follow-up of sorts ran yesterday (*): news flash, the 'botnets' (**) that churn out spam and hunt for valuable personal data are a big and growing threat to security on the 'nets. The lede is buried in the last quarter of the article:
“It’s a huge scientific, policy, and ultimately social crisis, and no one is taking any responsibility for addressing it,” said K. C. Claffy , a veteran Internet researcher at the San Diego Supercomputer Center.
The $6 billion computer security industry offers a growing array of products and services that are targeted at network operators, corporations and individual computer users. Yet the industry has a poor track record so far in combating the plague, according to computer security researchers.
There is scarcely a word about the causes, which are fairly obvious but get into forbidden territory.
The computer security industry mostly sells its products on a subscription basis. From one perspective — the security software firms' — this makes sense in that it aligns the revenue stream with the ongoing costs of modifying software to meet current threats.
From another, it makes no sense at all. As with any decentralized, price-based incentive system, some people will fail to take the hint, rationally or otherwise, by deliberately seeking to save a buck or two on the purchase price of the software or letting their subscriptions expire. Software vendors may actually make things worse by offering "incentives" to resubscribe in the form of totally disabling the software when the subscriptions expire — I discovered over vacation (sic) that the third-party firewall software on my mother's Windows PC had turned itself off and not had the courtesy of turning the Windows built-in firewall on, exposing the computer to the naked Internet for some unknown amount of time. So, the economic model for network security software all but ensures an adequate supply of undefended computers for spammers and fraudsters to compromise.
(As an aside, a pet peeve of mine is the economically-minded sometimes forgetting that extra-market solutions such as regulatory mandates are useful where it's socially costly for people to opt to ignore a price-based incentive, including the significant subspecies of the the well-off ignoring the incentive. The slow adoption of energy-efficient light bulbs also seems to provide a strong natural experiment suggesting that people are bad at looking past shelf prices to the fuller cost consequences of their decisions. This is not to say that price-based incentives aren't an imporant policy tool, but they're not the end-all.)
In addition to supplying net criminals with marks, the way computers are connected to the Internet go a long way to reducing the effectiveness of a hypothetical immune system for the 'net. Firewalls foreclose some means of infecting computers, though by no means all; it stands to reason that some botnet nodes are happily chugging away behind unsuspecting users' security barriers. Meanwhile, they would prevent some means by which beneficial software might inspect computers for infections.
The upshot is that the market model for net security is a failure, and what is needed is something more like biological immune systems, particularly in the sense of not depending on the behavior of individual network nodes to keep the whole organism relatively healthy. It's hard to see how some sort of mandated authentication system that would allow 'immune system' software to work wouldn't be part of the solution (see, e.g., Vernor Vinge's Rainbows End for a SF perspective). Such systems have been deprecated, legitimately, as mainly being vectors for intellectual property holders to run roughshod over the creative commons; they're also unlikely to be totally secure and will come with serious privacy concerns (see Vinge on both counts). But the current system features many of those costs already, and foregoes some of the benefits.
-------------------------
(*) Strictly speaking, this is a more current issue than typical Island of Lost Posts fare.
(**) Computers compromised by viruses and other malware to do malefactors' bidding.