Of Guns and Malware

I came across this video the other day:

It's a really entertaining TED Talk about the world of computer security from the perspective of malware and presented by Mikko Hypponen of F-Secure. I encourage you to watch.

He closes with the following:

I've spent my life defending the Net, and I do feel that if we don't fight online crime, we are running a risk of losing it all. We have to do this globally, and we have to do it right now. What we need is more global, international law enforcement work to find online criminal gangs -- these organized gangs that are making millions out of their attacks. That's much more important than running anti-viruses or running firewalls. What actually matters is actually finding the people behind these attacks, and even more importantly, we have to find the people who are about to become part of this online world of crime, but haven't yet done it. We have to find the people with the skills, but without the opportunities and give them the opportunities to use their skills for good.

In other words, anti-virus and firewalls aren't the solution to our problem. Stopping the people who create and produce malware is.

At the same time, we have this sentiment that bubbled up in the news recently:

Is antivirus software a waste of money?

As it turns out, many of his security-minded peers don't use [antivirus software] either. The reason: If someone is going to try and attack them, they're likely to use a new technique, one that most antivirus products will miss. "If you asked the average security expert whether they use antivirus or not," Grossman says "a significant proportion of them do not."

That's a pretty clear indictment of the status quo. What we are doing is not working.

Guns don't kill people, people kill people

What I believe is happening here is a growing realization of what I've talked about before. The current security situation is a never ending battle of measure and counter-measure with ever increasing casualties. What is needed is a dramatic change in the way we approach this battle.

Mikko points to one way to change this. Stop trying to stop the "guns" in this battle from being manufactured and distributed; instead go after the people who are using them to commit crimes.

However, the same Wired article from above goes on to cite another approach:

Patterson said his company, Patco, had “good AV” at the time of the attack, but nevertheless it missed the password-stealing Trojan. Now, two years later, he’s taken an inexpensive step that every small business should take to prevent his company from becoming victim to this type of fraud: He’s told his bank give him a call before it authorizes any big money transfers.

This to me is the real game changer. And I hope to make Trust Inn the catalyst for that change.

Trust Inn – Never Surf Alone

This blog is primarily about interesting but obscure technology topics. Today, I'm going to take a slight diversion and market some of my recent work (which has also been responsible for a recent dry spell in blogging!).

I've started a new company: Data Bakery. Data Bakery is dedicated to developing and delivering powerful applications that put people in control of their technology – not the other way around. To that end, Data Bakery has built its first product: Trust Inn.

Trust Inn takes sophisticated encryption and information aggregation technology and packages it up as an easy to use web application. Trust Inn is focused on three problems: whether or not to trust websites you visit (trust), managing and integrating your personal information with those websites (identity) and ultimately managing your relationship to those websites (authorization).

Trust Inn is being delivered in phases, each focusing on the problems described above. Phase one (trust) is ready for early adopters today. If you are interested, check out http://www.trust-inn.com/. Do pardon the dust and be patient with us as we bring Trust Inn to life.

Asymmetric Warfare

In Computer and Network Security is Hard - Too Hard I lamented the sad state of security affairs. In that article I concluded that the only way to deal with the security problem was to launch "asymmetric warfare". Trust Inn is Data Bakery's weapon of choice in this effort.

So, what exactly does that mean? The problem I described is that the current security battle is about fighting never-ending skirmishes where only the details change. It's a new vulnerability one week and a new counter-measure the next. The story is always the same, only the details change. Trust Inn is dedicated to ending this cycle by changing the battlefield itself. This will be accomplished by addressing three areas: trust, identity and authorization.

Trust

Information about websites and whether to trust them is scattered all across the Internet in various websites, databases and technologies. It might be a rating at the BBB, a listing in a malware database or a vulnerability in SSL. Your average user doesn't have the time or the skills to aggregate and evaluate all of this information – they usually resort to luck.

For many years, I've personally believed that the Internet would change society dramatically due to the reduced ability for people to hide wrongdoing. The Internet spreads information about wrongdoing more quickly, democratically and effectively than our press could ever hope to.

Trust Inn is the embodiment of this principle when it comes to website trust. It aggregates and evaluates information for you while hosting user generated information about the trustworthiness of websites.

Identity

The concept of a username and password manager is not new – there are plenty of solid products on the market that solve that problem. However, Internet users have an identity that is completely separate from the personas they present to websites that they interact with. This identity consists of much more than a username and password; it consists of all types of information. And more importantly, there are numerous ways in which users want to securely use that information.

That's a more subtle and sophisticated problem that existing password managers do not address. Trust Inn will address this in the future by solving the problem the way users deal with it – in their web browser.

Authorization

Lastly, Trust Inn will address a problem that's deep at the heart of our security battles on the Internet: authorization. Normally, people don't think of our problems with security as an authorization problem. They believe that everything centers around usernames and passwords.

By establishing them, they instantly become a vulnerability:

  • Users must remember and protect passwords
  • Websites must store and protect passwords

This results in a fragile environment with a very large surface area. An enemy can attack the user, the website and everything inbetween to try and get the username and password.

But realistically, this is not about usernames and passwords. They are just a means to an end, the end being authorization. You only provide a username and password in order to authorize things like: logging into a website, transferring funds, sending and reading email, etc.

Trust Inn will ultimately deliver functionality that enables authorization without usernames and passwords. In this new scenario, the balance of power will be radically shifted towards the user.

Hopefully, it will be shifted enough to finally turn the tide in our battle with the bad guys.