Thursday
Aug132009
Simplicity is Security
Thursday, August 13, 2009 at 11:30AM
Per the best of the best in presenting, what breeds a good presentation slide deck? Simplicity
I want to pose a statement. "Simplicity is Security". The reason I say this is that this day in age, at least in the US, 'convenience' is king. And we try to protect those conveniences with 'security'. Let me start over a bit, this train of thought all started when I started to explain the insecurities in WiMAX to my wife. We saw a WiMAX device that plugged straight into your computer. I told her this was bad because by connecting to this you have no barrier between you and the 'bad guys' other than possibly the Windows Firewall. Her answer surprised me. 'So?' is all she said.
Japan doesn't use 'Check Cards' or even really credit cards for that matter. To get such a card you need to go through a book worth of paper work, so it's just not 'convenient' for most people, so they don't get them. So guess what? They don't bank online, and they don't buy stuff online. I racked my brain to figure out what possibly could be on her computer that a 'bad guy' would want. I couldn't think of anything (maybe you can). The government relies on paper backups of anything electronic (so they hardly make electronic versions). Signatures are based on stamps that are difficult to copy. The worst a hacker could do on her computer is use it as a zombie, and even then, their ISPs detect and disconnect excessive use.
Where did we as “Security Professionals” go wrong? Was it the fat paychecks we wanted? Was it the fear of the 'underground'? Reality seems to dictate that we will continue on this path from the analog to the digital, from paper and clerks to networks and AI. The question I want to ask you though is; Should we continue down the path of "MORE SECURITY" or should we deviate a bit for simpler, possibly non-technical practices?
In these last two posts you may assume that I favor the Japanese culture and way of life over a US one. You would be mistaken, I simply learn, take the best parts of what I learn, and try to apply them where I can. Learning from others triumphs and defeats, strengths and weaknesses is a basic human function that we a humanoids should embrace.
I want to pose a statement. "Simplicity is Security". The reason I say this is that this day in age, at least in the US, 'convenience' is king. And we try to protect those conveniences with 'security'. Let me start over a bit, this train of thought all started when I started to explain the insecurities in WiMAX to my wife. We saw a WiMAX device that plugged straight into your computer. I told her this was bad because by connecting to this you have no barrier between you and the 'bad guys' other than possibly the Windows Firewall. Her answer surprised me. 'So?' is all she said.
Japan doesn't use 'Check Cards' or even really credit cards for that matter. To get such a card you need to go through a book worth of paper work, so it's just not 'convenient' for most people, so they don't get them. So guess what? They don't bank online, and they don't buy stuff online. I racked my brain to figure out what possibly could be on her computer that a 'bad guy' would want. I couldn't think of anything (maybe you can). The government relies on paper backups of anything electronic (so they hardly make electronic versions). Signatures are based on stamps that are difficult to copy. The worst a hacker could do on her computer is use it as a zombie, and even then, their ISPs detect and disconnect excessive use.
Where did we as “Security Professionals” go wrong? Was it the fat paychecks we wanted? Was it the fear of the 'underground'? Reality seems to dictate that we will continue on this path from the analog to the digital, from paper and clerks to networks and AI. The question I want to ask you though is; Should we continue down the path of "MORE SECURITY" or should we deviate a bit for simpler, possibly non-technical practices?
In these last two posts you may assume that I favor the Japanese culture and way of life over a US one. You would be mistaken, I simply learn, take the best parts of what I learn, and try to apply them where I can. Learning from others triumphs and defeats, strengths and weaknesses is a basic human function that we a humanoids should embrace.
Reader Comments (7)
Brian Krebs did a pretty good article about the value of a hacked machine. ( http://voices.washingtonpost.com/securityfix/2009/05/the_scrap_value_of_a_hacked_pc.html" rel="nofollow">http://voices.washingtonpost.com/securityfix/20... )
I would make a comparison to an old shed that is no longer being used. Even though I may not keep anything in there anymore. I still would not want someone squatting there.
We (as a culture, even outside of security and IT) have been making poor choices for a long time in the name of laziness. The washing machine doesn't save any time in many househoulds I've seen. Instead people have 2 or 3 costume changes per day, so they create more volume, and in the end the same amount of time (plus money for electricity) is wasted by using the washing machine. One step forward, two steps back.
The same holds true in IT and IT security. The 'safer' I feel because of SSL certs, the lazier I get with my credit card info. The more promises of a safety net I get from VISA regarding internet fraud, the lazier I get with keeping my CC info secure. Etc.
In the end, most people would actually be happier living in a hut in the middle of nowhere. Less smog, less commute to work, and fewer people harassing them. But people are too stupid to see it that way. They want malls, and cell phones, and other 'big city' things. Security is the same way, imo. People want to be secure, but they also want a credit card with a chip in it, so they don't even have to swipe the card through a reader (or even take it out of their wallet).
you didnt address the real point of security in that are they adequately protecting what they think is valuable with their current system? and is it meeting the Japanese level of efficiency they are known for, or do they just deal with it because its inconvenient?
bigger better faster, is the american society.. hollywood is showing us that we can just do anything by swiping a card/device and its all yours.. star trek the final frontier.. the age of computers do everything upon us.. funny how japan is backwards from an american perspective on this topic but far advanced in robotics.. values and priorities..
[...] #2 - Simple Security: We’ll be honest; this post got our attention before we even read it. With a title like “Simplicity is Security,” how could it not? Taking an interesting look at security by examining the use (or lack thereof) of debit and credit cards in Japan, @mubix makes some excellent points about how our desire to jump on every technological advance that comes along is making it harder to have good security. After talking about how people in Japan usually don’t have credit cards, debit cards, or do any of their banking online, @mubix poses the following question to his readers: “Should we continue down the path of “MORE SECURITY” or should we deviate a bit for simpler, possibly non-technical practices?” While we can’t say that we totally agree with the route of non-technical practices, we do believe that there is a happy medium. To answer the question for yourself, why not check out the full post? [...]
Mubix, You have a big point here as we all know that security through obscurity doesn't really work and complexity is just a synonym. Have you looked at why things in IT require so much complexity? I found two pertinent aspects: human behavior and outdated technology. Put them together and ... BOOM! Most people are trusting and find it hard to think about how to do harm. Thus, technological implimentation of more secure solutions such as IPV6, secure ARP tables, secure DNS, cryptography and even the latest patches never get implemented in a timely manner. Being secure requires us to change our behavior. That takes a lot of work and there's no pill for it. As you say, in the US we want it all the easy way. In my opinion we will shift into a industry that will focus on education while having to provide very high abstraction for users as well as coming up with ingenious ways of keeping those users secure without them having to change their behavior too much. Technology isn't always the answer. What do you think?
I wholeheartedly agree with your main point. That said -- and I hate to be the one to split hairs -- I would argue that your Japanese citations are inaccurate.
Japanese people have and use credit cards all the time. According to the Bank for International Settlements, the number of Japanese credit card holders is roughly equal to that of Germany, and even exceeds Canada. It *is* true, however, that Japan does not have 'check cards', but this is simply because Japan does not have checks. The vast majority of cards in Japan work the system of automatically deducting the *entire* balance of the credit card once every month.
Getting a credit card just as easy as in the States. I got my first Japanese credit card after filling out a half-page form which took less than 5 minutes. No major form of identification was necessary. I get offers for "pre-approved" credit cards in my mail box every month.
Japanese people bank online constantly. Earlier this year, #2-seated cell phone carrier AU launched a partnership with Tokyo Mitsubishi UFJ Bank to access all of your banking functions over your cell phone, including balance transfers. It's been hugely popular, and other carriers have followed suit. The most profitable bank in Japan in 2004 was Shinsei Bank, which differentiates itself by essentially running an online-banking-only presence. Visiting a branch requires you to interface with your account using a PC, not a bank clerk.
Japanese people buy stuff online constantly. Last year, online sales figures per capita in Japan were only slightly below that of America.
In such a disaster-prone country as Japan, It would be short-sighted to assume that the Japanese government doesn't keep easily-backup-able electronic versions of important documents. My family registry, proof of residency, and marriage certificate are all given to me via a laser-printed document (made official by a number of stamps).
Stamps (hanko, inkan) are just as easy to copy -- if not more so -- as written signatures. Life is made infinitely more difficult for the average person as one usually has a number of these stamps in slight variations in design. They are the antithesis of simplicity. There are no records provided telling you which stamp was used for a given document. I've had documents rejected for not having the "correct" inkan, only to have the company later apologize for incorrect verification. The illusion of security is amplified by the perception among people that hanko/inkan are un-forgeable (password analogy, anyone). It is common practice for a business to accept a document from someone other than the document holder simply because it has the correct hanko. There have been numerous news stories of wives emptying their husband's bank accounts and fleeing the country.
The amount of data I push over my lines every month would *easily* be classified as "excessive use" (many times over). While it might be detected by the ISP, disconnections due to it are unheard of.
I agree with, and appreciate, the crux of your argument completely, but do not think that these specific examples from Japanese society are strong fodder.