Denial of Trust: The Future Security Threat

Visions of the future tend to include technology for good and for evil. The most frightening is when the former turns to the latter, seemingly without prompting by humans: robots gone wrong, Skynet, you name it. But more likely is the probability that good technology will be abused by humans for malicious purposes. In cybersecurity, this started with the urge to cheat at blackjack, but has now moved beyond financial theft and fraud into propaganda wars (aka “fake news”). How will this go further? I believe that the abuse will continue, becoming in some cases more subtle. We are getting pretty…
Read more

How Google turned me into my mother.

We are facing a big problem, one that's hidden behind the more prominent issues of cybercrime, encryption wars, and vulnerability disclosure. It's endemic to our digital infrastructure, and it's going to get worse over time. And it's so complex that I'm not sure I can do it justice in a blog post. I've been talking about it here:https://www.youtube.com/watch?v=lU8_S0V_zOQ (B-Sides London)https://www.youtube.com/watch?v=mKnKQv-0cwE (HouSecCon)In a nutshell, it has to do with digital delegation.What do I mean by that? I mean any situation where an online user needs to be able to delegate all or part of their access or capabilities to someone else -- whether temporarily, intermittently, or permanently. Most identity and access management models only deal with delegation in an enterprise context: Alice needs to go on PTO, and Bob needs to cover for her during that time, without anyone confusing the two people for the purpose of accountability.But real life is more complicated than that, and it involves legal protections as well. Take the reasonably simple example of a minor child. A parent or legal guardian has the authority to administer many things for a child, but the design of online accounts is often muddled. Which signups does...
Read more

A matter of taste.

I've figured it out: The word "cyber" is like garlic.For most palates, just a bit of cyber in anything is enough. It makes it all a bit more interesting.Some people love cyber so much that they put it in everything, in massive amounts (chicken with 40 cloves of cyber, for example). Others are so sensitive to cyber that they can't stand the faintest whiff of it.If you've been raised in a culture that uses cyber a lot, you won't realize how it comes across to those who haven't grown up with it. People will pull away from you with horrified or disgusted looks on their faces and you won't know why. When you've been steeping in cyber, you don't notice the smell any more.There's even a certain part of the United States that just loves its cyber. It puts on a regular cyber festival, where you can get cyber flavor in everything. I've never been to it myself, but I can tell you right now that I will never accept cyber-ice cream.Some cultures love cyber, and some don't, but if you're part of a couple and only one of you has ingested cyber that day, you're going to have...
Read more

Why the airplane analogy doesn’t fly.

Don't get me wrong — I love Trey Ford. He is one of the most inspiring infosec pros I know. He's smart, creative, full of mind-blowing ideas, and has energy to spare. And I love his talk at SecTor about what we can learn about information sharing from the aviation industry.There's just one problem: aviation isn't all that comparable to cybersecurity.Imagine that instead of flying the plane herself, a pilot had to convince all the passengers on the flight, EVERY flight, to do the flying together. And many of them aren't good at it, and don't care; they just want to sleep or watch videos or whatever.The passengers change all the time, so you can't keep them educated on what to do. Depending on the size of the plane, there may be tens or hundreds of thousands of passengers helping with the flying. Instead of a finite maintenance crew that's under the direct control of the airline, there are dozens or thousands of different crews from third-party companies, all doing their bits (or not).The aircraft types range into the thousands, dating back to Kitty Hawk and up to the newest models, and most of them have at...
Read more

When your risk profile is different.

Ready for some (more) unfounded speculation?Both people and organizations tend to want to keep their data within a circle of trust; it's why there has been (and continues to be) resistance to putting sensitive data in the cloud. It's a function of human nature to keep things close -- which is why people still keep files on their desktops or laptops, use USB drives, and run servers at home. You keep your treasures in an environment that you know best, and where you feel you have the most control over them.According to the Washington Post, President Bill Clinton had had a personal email server at home; Hillary Clinton had a server which had been in use during her first presidential campaign in 2008, and this same server was then set up for her at home when she took the Secretary of State post.Besides this controversy with her home email server (and yes, I commented on that on CNN, but they must not have liked most of what I had to say), I noticed the other day that apparently Caroline Kennedy had been using personal email as well for State Department business....
Read more