Security and the Myth of the Superuser

Bruce Schneier runs a great blog, Schneier on Security and I stumbled across a post of his from last May entitled The Myth of the Superuser.  In a very understated way Schneier refers to what he describes as  a "very interesting law journal paper".  It certainly is.  The paper in question is The Myth of the Superuser: Fear, Risk, and Harm Online by Paul Ohm, Associate Professor of Law and Telecommunications at the University of Colorado Law School.

The abstract states:

"Fear of the powerful computer user, "the Superuser," dominates debates about online conflict. This mythic figure is difficult to find, immune to technological constraints, and aware of legal loopholes. Policymakers, fearful of his power, too often overreact, passing overbroad, ambiguous laws intended to ensnare the Superuser, but which are used instead against inculpable, ordinary users. This response is unwarranted because the Superuser is often a marginal figure whose power has been greatly exaggerated.

The exaggerated attention to the Superuser reveals a pathological characteristic of the study of power, crime, and security online, which springs from a widely-held fear of the Internet. Building on the social science fear literature, this Article challenges the conventional wisdom and standard assumptions about the role of experts. Unlike dispassionate experts in other fields, computer experts are as susceptible as lay-people to exaggerate the power of the Superuser, in part because they have misapplied Larry Lessig's ideas about code.

The experts in computer security and Internet law have failed to deliver us from fear, resulting in overbroad prohibitions, harms to civil liberties, wasted law enforcement resources, and misallocated economic investment. This Article urges policymakers and partisans to stop using tropes of fear; calls for better empirical work on the probability of online harm; and proposes an anti-Precautionary Principle, a presumption against new laws designed to stop the Superuser. "

Don't let the "law journal" label scare you away.  This really is a very interesting and thought-provoking read.  Although phrases like "exaggerated attention to the Superuser"  and "overbroad prohibitions"  mind lead you to think that Ohm is downplaying the risk of lax computer security but upon careful reading I don't think he is.  Rather what he is suggesting is a more balanced and reasoned approach to security.

Return of the Hanging Chad?

The other day while driving to work I heard an interesting report, Voting Officials Wary About Electronic Ballot,  on NPR (National Public Radio).  The report talked about the potential problems with electronic voting machines.  Like a number of other reports such as a recent New York Times article or Bruce Schneier's excellent analysis from November,2004 on "The Problem with Electronic Voting Machines" the NPR report talked about some of the issues of electronic voting.

The problems associated with electronic voting machines are well-known and Schneier does an excellent job of expanding on them:

• Hacking - someone hacking into the system to commit voting fraud
• Programming errors - software errors causing unintended widespread consequences
• Accuracy - under-counting, double counting etc.

In looking at this I found two thing rather interesting.  The first thing is that we are still seeing technical issues with electronic voting.  We do our banking, manage our 401Ks, buy stock, arrange mortgages and more electronically without these issues (well, OK, hacking will always be a concern).  So why can't we solve the issue around electronic voting?  It just seems rather strange that we haven't been able to address all of these issues yet.

The second and most interesting thing (at least for me) was the reaction of some politicians and journalists to the issues.

Return of the Hanging Chad?

The other day while driving to work I heard an interesting report, Voting Officials Wary About Electronic Ballot,  on NPR (National Public Radio).  The report talked about the potential problems with electronic voting machines.  Like a number of other reports such as a recent New York Times article or Bruce Schneier's excellent analysis from November,2004 on "The Problem with Electronic Voting Machines" the NPR report talked about some of the issues of electronic voting.

The problems associated with electronic voting machines are well-known and Schneier does an excellent job of expanding on them:

• Hacking - someone hacking into the system to commit voting fraud
• Programming errors - software errors causing unintended widespread consequences
• Accuracy - under-counting, double counting etc.

In looking at this I found two thing rather interesting.  The first thing is that we are still seeing technical issues with electronic voting.  We do our banking, manage our 401Ks, buy stock, arrange mortgages and more electronically without these issues (well, OK, hacking will always be a concern).  So why can't we solve the issue around electronic voting?  It just seems rather strange that we haven't been able to address all of these issues yet.

The second and most interesting thing (at least for me) was the reaction of some politicians and journalists to the issues.

An IT Question: Blocking Non-Business Internet Sites

One of the company Vice Presidents stops by your office and expresses concern that some of their people may be spending too much time on the Internet and wants to know if there is any thing you can do about it.  You mention that you do have a filtering program but it is set only to filter objectionable sites such as gambling, porn, etc.  You explain to that filtering non-offensive but seemingly non-business related sites may be counter-productive as it is often difficult for IT to determine which sites truly have no business application.  You go on to cite examples of the need to view sports, restaurant, job boards, real estate and other sites was business related.  The VP is not impressed and insists that you block all sites that are not obviously and directly related to your company's business.  You know other VPs do not have this concern.

How do you respond to this request to block Internet access to "non-business" sites?

"Help" photo by Cobber99

Got a question you'd like me to post for future discussion?  Email it to me using the "Email Mike" link in the left hand column.

If this topic was of interest, you might also like the other posts in the IT Question category.

An "Ah Ha" Moment on Computer Security

I had a reminder the other day on computer security that was an "Ah Ha" moment.  It was one of those moments of breakthrough understanding where you instinctively say "Ah Ha".  The concept was not new to me, I instinctively  have "known" it for some time but the elegance of a simple 5 word statement just struck me for its clarity.

Surfing Conditions

In my last post, "IT is NOT your Mother", I talked about IT restricting access to n0n-business sites and made my case for why this is a bad idea.  Two key points I made were:

• It is the supervisors job to let people know what is expected of them.  Excessive use of the Internet for non-business items is a supervisory issue more than a technical issue.
• It's was important to treat people as adults with trust and respect.  I believe it is likely that most will act accordingly.

To go along with this I promised some practical tips on how to write and use good email and Internet usage polices (also known as AUPs or Acceptable Usage Policies). 

A Timely Example

My good friend Russ Svendsen recently sent me a link to a rather timely article in the International Herald Tribune (IHT) that ties in nicely with my recent post on shadow IT and also my post on People and IT Security.  The IHT article "Firms fret as office e-mail jumps security walls"  talks about corporate email users forwarding company email to free web-based email programs such as Google's gmail or Yahoo! Mail.  The story is also posted at TechNewsWorld.

People like to use these systems because it lets them by-pass the hassle of dealing with security provisions such as multiple passwords, the corporate email system only being accessible through company PCs, or special security systems.  Simply put, using these services is easier and quicker than the approved corporate systems.  Use of these methods can quickly spread as users pass along tips to each other or the shadow IT guys add it to their bag of tricks to make things simpler.

The formal IT folks are understandably worried about this due to the increased possibility of viruses and spyware.  But it isn't only the IT folks that have some concerns.  Circumventing the corporate email systems raises issues of data control and integrity which gets the lawyers and Human Resources folks attention.  Having email stored where IT can not locate it can raise serious legal issues if it involves subject matter caught up in a lawsuit.  Likewise there are certain legal requirement regarding data privacy such as patient data being stored in this manner.  As the IHT story reports "The Web mail services may also be prone to glitches. Last month, Google fixed a bug that caused the disappearance of "some or all" of the stored mail of around 60 users. A week later, it acknowledged a security hole that could have exposed its users' address books to Internet attackers."  Try telling your CEO that Google lost your company's data.

Obviously we have a significant security issue resulting from the shadow IT effect of using outside emails system.  The challenge is how do we address this in our IT security program?  The 3 goals of an IT security program are:

• Tight security
• User convenience
• Low cost

Along with this goes an old saying - that when implementing a security system you can pick any two of the above but have to be willing to sacrifice the third.   This is not a pleasant scenario.  So what do we do?

This is where the "people factor" I mentioned in People and IT Security comes into play.  Making security awareness an important part of your security program can help.  It won't solve the pick 2 and sacrifice 1 conundrum but it can help minimize the problem.  It is naive to think security awareness effort will eliminate the issue entirely but with some effort you may be able to contain the issue.  Without awareness user are only concerned with the convenience factor and hence their choice is easy.  Some would argue that users are concerned with security too but typically it is only when security becomes an issue and not until then.  A good awareness program can help them appreciate all 3 concerns and help create a workable balance.

What are your thoughts on this?

One logical question that this discussion raises is - What constitutes a good security awareness program?  I'd love to hear your thoughts on this and perhaps we can have a future post on that topic.

If this topic was of interest, you might also like these:

• People and IT Security
• Or the posts in the "Security" category

People and IT Security

I came across some interesting posts on IT security.  The first is 10 Steps to Creating Your Own IT Security Audit. by the folks at ITSecurity.com.  This gives a good overview of some of the things your need to look for.  This is not a comprehensive outline nor is it intended to be.  The sub-title of the posting is "If a security auditor isn't in the budget, these 10 IT security audit tips will go a long way in empowering you to protect your business."  With that qualification it does provide a good starting point.  When you read this article also read the comment posted with the article and on Digg.com.  These also provide some interesting insight.

When I read this the one thing I did think was missing was employee awareness.  Getting employees on board with the concepts of your security program is essential.  If they "get it" your program can be a success.  If they don't they will figure out ways around it to make their life easier which also leaves big security holes for anyone to exploit.  Locks on the door don't help if someone props it open so to speak.  For me employee awareness is the number 1 tool in making a security program successful.

I subsequently found a posting by Dan Morrill entitled Information Security as a People Problem.  Dan references a posting on out-law.com by John Colley entitled The information security professional is more than 'a necessary evil'.  I was encouraged to see his statement:

"We need to remind ourselves again and again that information security is not a technology issue – it’s a people issue. We are reliant on people, their awareness, ethics and behaviour, and we must understand what they want to achieve if we are to accomplish the goals of business. This includes the employees that deliver our services and the customers that take advantage of them, as well as the senior executives and board room directors that grant us our budgets."

Like so many other things in our technology environment the lesson remains - Don't forget the people factor.  Security (or technology) won't work if we don't design it in a way that our people will use it properly and effectively.

How have you applied the "people factor" in your security plan?

99 Email Security, Netiquette and Productivity Tips

The folks at ITSecurity have a great article, Hacking Email: 99 Email Security and Productivity Tips that lists 99 great tips that can improve our use of email.  Email at times can be a powerful and useful communication tool.  At other times it can be the bane of our existence when the inbox is overflowing.  Take a look at these tips, I think you'll find them useful.  (Thanks to Grigor at behind the glasses for providing the link to this article.)

The two tips that I found especially significant were:

22. Remember the telephone. Unless you need a written record of a given communication (or if the person you're communicating with is long distance), consider calling (or sending a letter to) your intended recipient instead of an email. People often default to writing an email because it is quick and easy; but sometimes a handwritten letter or phone call can provide the personal touch your communication really needs.

42. Cut to the chase. Sometimes a text chat is the best way to resolve a communication quickly, instead of sending a dozen emails back and forth. By keeping the bank and forth emails to a minimum, you keep your inbox under control and prevent the need to declare email bankruptcy and starting all over.

I've always told the people that work for me about Schaffner's 3 email rule which is based on some of the same concepts that tips #22 and #42 are but with something extra.

If the email thread goes beyond 3 levels and it is more than a factual providing of information and more like a conversation then it is time to stop emailing, get up out of your cubicle and go talk to the person face-to-face (or if distance precludes then talk by telephone).

My reasoning is that with the inherent limitations of email (and for instant messaging too) where there is no body language feedback, or intonation of speech etc. you quickly have a "conversation" where the two parties are talking "at" each other rather then "with" each other.  Although this can happen with face-to-conversations if you are not careful, why not take the effort to increase the chances of a true exchange of viewpoints?

Break that email chain and actually go talk with someone.  You just might find out what you need and maybe some more and probably quicker too!

What email tips or rules do you have?