Not A Blog™

I got a letter the other day from my bank (the same bank I used to work for), informing me that they were changing the method of logging on used with their online banking service. I use online banking all the time, so it was with trepidation that I regarded this system “upgrade” since the current system seems to be working fine.

Specifically, the system they were going to implement included a picture with a caption and three security questions. Although the letter and online explanation was exceptionally vague, I think they’re trying to kill two birds with one stone, here. The first is, naturally, phishing. By forcing the user to select a picture and caption, then associating this picture with their computer, people can be sure that they’re on the actual bank website before they go around inputting personal information. The security questions are intended—I think—to make it more difficult for someone who has stolen your password to access your account. This is very strange to me because if someone was going to successfully spoof the bank’s website, they would include the security questions, as well. Suffice it to say that although the new system is annoying, I don’t have time to analyze it in great detail. If I weren’t so reliant on my online banking to handle my day-to-day financial business, I’d probably cancel my account. Since I can still do banking over the phone—which, stupidly, requires a social security number and a four digit PIN—I could actually cancel my online account with no loss of capability. It’s just a hassle.

The rational behind the introduction of these more stringent measures is, according to the bank, to keep my information more secure. While it does, in fact, make my account slightly more secure (this is open to debate, but let’s assume it will), this isn’t really the real reason. The real reason is to make it harder for the users to be fooled by a phishing site. In other words, the people who use online banking are clueless enough that they’ll blindly follow any links that show up in any emails which seem to be from the bank. It’s the users who are easily fooled, and the bank is trying to make online banking, as it were, idiot proof.

However, the amount of extra security on the account is, when you think about it, not very much. After all, any phishing site is obviously going to spoof the questions right along with the username and password fields. The image is simple to get around. Just put up a message that says “you are required to reverify your image and caption every six months. Please do this now to ensure continued service.” Bam. Done. You just spoofed all the extra security that the bank spent months implementing—and people will continue to fall for it.

I was thinking about this while driving—annoyed at the bank for making me jump through more hoops to get the same crap done, and annoyed that it won’t actually fix any problems—when I realized that something similar is happening in a completely different industry. The underlying problem is exactly what’s happening with airline security.

A while back I talked about the technological singularity, the point where technology will advance so fast we won’t be able to predict it. Well, we have recently hit a different singularity of sorts: the security singularity. It seems like all security, regardless of industry (finance, airline security, digital rights management, RFID tagging, electronic voting machines) is bypassed almost the instant that it’s announced. We’re not even talking implementation, here. Somebody says they’ve got a new system in the works and another group announces a few days later that they’ve found a hole. There’s no such thing as foolproof security. There never was. But one thing that all these industries have in common is this: they are striving—they will do almost anything—to achieve that theoretical 100% tight, perfect security.

In order to plug every single concievable hole, any given industry has to go to absurd lengths. The airlines started dumping out liquids. Never mind that a perfectly capable bomb can be made out of solids or malleable solids—which are easier to transport, easier to hide, and harder to detect. Since a bomb could potentially be made out of liquid, we have to go the extra step and eliminate all liquids. Does this make anyone any safer? Does it make terrorists’ plans harder to carry out? Yes. It certainly does—by a tiny, miniscule amount that is so small, it’s almost pointless to consider. Which is exactly why the measure was so ridiculed by everyone. It did make the airways safer, absolutely. But the trade-off between what was being done and how much safer it was actually making everyone was so disproportionate that it just looks absurd.

Taking all of these diverse examples that I mentioned—banking, airline security, DRM, etc—and looking at how security is implemented and how easily it’s bypassed, I came up with the following, completely unscientific graph.



I had to map three variables in this graph, so I used color for the third dimension. This applies to anything which has security or controls which are designed to restrict people from doing something. Naturally it’s approximate; the exact shape of the line or gradient would change across industries, but the principal is the same. Also note that “convenience” is not just your personal convenience in dealing with the additional security. It is a blanket term meaning all resources that are required to make the additional security work. There is implementation and maintenance cost for the people putting the security in place. There’s additional cost to the customer. There is additional time spent on both ends. In many cases, there is goverment oversight. There’s the space required—either physical, on a hard drive, or on a website layout—to accomodate support infrastructure for the security. All of these things fall under the heading of “convenience”. The more security measure you introduce, the less convenient it is to do all of these things.

Starting in the upper left. Something that has no security is, obviously, very easy to beat. An example of this would be the train system. There’s no security on trains. You could take a bomb on a train and blow it up and nobody would stop to question you or think twice about it any step of the way. Trains aren’t exactly a useful target (although maybe they would be if they crossed an important bridge or something similar), so it makes sense that their security is relatively lax. Naturally, this lack of security makes obtaining a ticket and traveling on the train extremely convenient. You can buy the ticket with cash, there are no metal detectors or security lines to stand in, and so on. (Whether or not the actual train itself is convenient is another matter entirely.)

This, of course, is not sufficient for most applications. It would be the equivelent of logging on to online banking by only needing an account number (which is on every check)—or for that matter, flying on a plane as easily as we would ride a train or bus. In these cases, it’s prudent to have some sort of security, and you’ll see by the graph that by implementing some basic, common sense security measures, we can significantly increase the effectiveness (the color of the line) of the security without drastically imparing the convenience of using the service. This is equivelent to introducing metal detectors to airline security, and searching for bombs. You don’t want to make it too easy to get the bomb on the plane, so this is a good solution for weeding out the worst offenders. For online banking, this is the equivlent of using a user name and password. All this will, of course, make it less convenient to go about your business, but mostly everyone agrees that these things are a good idea, and we’re willing to put up with the slightly reduced ease-of-use for the increased chance of not getting screwed.

As we continue, there is eventually a point where the practical security options are exhausted. This is where the hole-plugging begins. From here, additional security measures will continue to make things more secure, however, in smaller increments. The security measures will be designed to handle smaller, more specific breeches, and so will have less of an overall effect in the effectiveness of the security. When you start to cross this threshold, this is where the security becomes annoying—such as the measures my bank is now trying to implement with their online services. Like I showed, they don’t necessarily make the information more secure, but they sure are a pain in the butt. This is annoying security.

Another example of this is some DRM. Microsoft introduced a feature on the Zune which allows users to wirelessly share music files with each other. Great idea, except it wraps the file in a layer of DRM which only allows the receiver to play the song three times, or to have it three days, whichever comes first. This is annoying security—made even moreso by the fact that you only have to rename the song to something.JPG, and you can share it without restriction because the Zune doesn’t put DRM on pictures (even though pictures can also be copyrighted). The implementation on the Zune is nothing more than annoying security. Apple’s iTunes, on the other hand, has practical security. It does have DRM, but it is largely transparent to end users because it works seemlessly with their iPods, to the point where they can use their music (almost) as they like and they don’t feel the need to crack it. MP3s in general have no security, hence the popularity of the format for sharing music in the first place.

There is a sharp downward decline of convenience after the practical security is exhausted. As the security measures are designed to address more specific instances, they become progressively more annoying to the people who follow the rules until people start to think that they really are absurd. An example of this is airlines dumping out liquids. Many people thought it was dumb, but did not speak up because they had to fly, and also because what practical argument can you give that doesn’t make you look like you support terrorism? You don’t want the terrorists to win, do you? Then give us your baby formula. The problem with this line of reasoning is that if you look at the graph, you can see that the security still isn’t 100% effective at this point. In other words, dumping out liquid is absurd. There’s no need to pretend that it’s being very helpful in the fight against terrorism beacuse it’s not! As I said, it does make us safer, but the inconvenience (not just in the traveler’s time, but also in tax payer dollars, number of bodies needed to do the dumping, trash generated, etc) is so much greater that it doesn’t, in many peoples’ minds, offset the small gain in security.

Finally, at the far end of the scale you have draconian security. This would be like the sort of dystopian “no escape” security you see in such works as 1984 by George Orwell. Even though the green at the end of the line matches the green at the end of the Security Effectiveness scale, 100% security can never be reached. Draconian security will get you close, no doubt about it. But the graph is not meant to imply that one could ever obtain full control. (In theory one could, but I’m not sure human nature would let us go that far. Although you never know.) Writers and artists everywhere have realized this fact, even if they didn’t put it into concrete terms. One thing which you will notice that all dystopian fiction shares—1984, Fahrenheit 451, Brazil, etc— is that none of them posit 100% perfect security in which nothing “bad” happens. 1984 probably comes closest in that you are never sure that Goldstein actually exists or whether he’s just propaganda drummed up by the government to facilitate the Two Minutes Hate. But Fahrenheit 451 has those who memorize books; Brazil has terrorist bombers, and so on. There is always a group that can slip through the cracks of draconian security.

Our goal, then, should be to hit that happy medium—the edge of the practical security plateau—where all the common sense measures have been implemented, the security officers are diligent, and the people are mostly free to go about their business with a minimal amount of hindrence. No, it won’t be perfect. Yes, bad guys will still get through. But they’re going to get through anyway. Naturally there must be much debate as to what exactly is a “practical” security measure. But I don’t think this even needs to be quantified; many people have an innate sense of when security has gone too far, and it’s no longer being as effective as those who implement it might like us to believe. I would be happy if we could settle on hovering between practical and annoying security.

The larger problem is to recognize that no matter what absurd measures we put in place to make things more “secure”, as long as we have people who have a motivation to break through these barriers and incite fear or cause damage, these measures will never be enough. They will always get through. After we implement all the practical security, it should be a matter of determining the motivating factors in those who would continue to violate the security even with barriers in place. (After all, the barriers are effective in preventing spur-of-the-moment attacks, such as a man trying to blow up a plane with his ex on it. When it requires planning to break through security, there is an underlying motivation that runs deeper.) If you remove the motivation for security violations, you wouldn’t need the security at all. Obviously you can never remove all of everyone’s motivations for this at the same time, and so some security must always be present. And, of cousre, how we go about doing this is an essay for another day.

It is possible to have too much security. While it might make us safer, it does so by an amount which is disproportionate to the convenience level: cost to implement and maintain, expense to the customer, time, and so on. If practical security is implemented and it is still being overpowered by people violating it, there is a problem that runs deeper—a problem which not even draconian security will eliminate.

-Ted