|
Volume 4 Number 16 July
7, 2006 |
|
False pretenses Adequate information is at the heart of
"informed consent" I'm a pretty cautious guy. I don't run with scissors; I never play poker with a guy whose first name is also a city; and I don't let anyone withdraw money automatically from my checking account (always touted as being for "my convenience," or course). The first two of these rules I learned through the wisdom of others -- the nuns and my father, respectively. The third I learned through sad personal experience. I'm cautious in other ways, too. I have a firewall on my computer. My home wireless network is password enabled (unlike those of some of my neighbors). I have anti-virus software and a spam-blocking program, and I use email aliases when dealing with most Web sites. I search and destroy spyware and adbots. I don't use easily hacked passwords. And I never click on a hyperlink in a commercial email -- ever. So, I tend to be smug about online security. I've engaged in online commerce since before a lot of people even knew there was an online. (Anyone remember the old command-based SABRE program for making airline reservations?) I deal only with reputable online companies and, until now, most of my worries have been about questionable "privacy policies," which consist of gallons of legalese that can be changed in an eyeblink with no notice at all. My smugness, however, has been aided and abetted by the online-commerce providers who assured me of the sanctity and security of their systems. I see little icons, both on their sites and in my browser toolbar, assuring me that I have a secure connection and that nothing can go wrong. I relied on those assurances, and made what I thought was an informed choice to engage in e-commerce, despite the reluctance of what I thought were Luddite friends and acquaintances. Given this background, I was just a little dismayed when I read an interview recently -- one to which I alluded in a previous column -- that indicated all may not be well in E-commerce Land, and that, in fact, some e-commerce providers were actually quite concerned about the vulnerability and fragility of the Internet. The interview was posted by my old friend Dana Gardner on his Briefings Direct Web site, and consisted of a transcript of a conversation with Professor Tom Leighton, Co-founder and Chief Scientist at Akamai Technologies. Leighton is also professor of Applied Mathematics at MIT and the former chairman of the Cyber Security Sub-Committee of the President's IT Advisory Committee (PITAC). So, he has some credentials. A lot of what Leighton has to say, especially for someone of his stature, is pretty chilling: "In fact we are already seeing some of the problems today that result from the lack of security in the Internet, through phishing and pharming, and cyber crimes -- personal identity theft -- that's already happening today. We haven't seen large examples of cyber terrorism, or warfare on the Internet, or the takeover or loss of control of key utility facilities, although that's within the realm of possibility." Before I read this, I knew about "phishing," a shady practice in which someone sends you a phony email to get you to click a link to a phony site and give them personal data. I didn't know about "pharming." That's when you type in the address for your bank, but because of some hanky-panky at the ISP level, you are directed to a look-alike sign-on page which is owned and operated by criminals. The average person has no way of knowing that this is taking place. Everything looks normal. Leighton explains: "There are a lot of ways he can make that happen. The basic protocols of the Internet don't have any security. For example, consider the BGP, the Bordered Gateway Protocol. That's the protocol that directs the path your packets take as they traverse the Internet. It's easy for a bad guy to inject false information into the BGP protocol to send those packets to him. "One way he can do this is to simply tell an ISP that he owns the IP address of the bank, and he will set the parameters so that information doesn't spread more broadly than the particular ISP that he is attacking. And then, anyone in that ISP who dials up or gets broadband connectivity to that ISP will go to the bad guy, when they think they are going to the bank -- just because BGP doesn't think to check whether the bad guy is really the owner of that IP address." But, I hear you say, if that were really happening, the banks, retail establishments, and financial institutions would be sending out warning after warning and returning to more stable, reliable transactions. Wouldn't they? Leighton explains" "First, the banks, e-commerce players, and the commerce players that moved to e-commerce have already made the switch. There is no easy way to go back. The call centers are gone. The traditional methods of doing business aren't supported anymore at the levels they used to be in the past. The switch was made because the Internet offers tremendous economies. It's much cheaper to handle the transactions over the Internet than it is by the traditional methods. "So, it's not easy for them to go back. At the same time, the banks and financial institutions are very concerned about the level of fraud and cyber crime, and their exposure to it, yet they don't have an incentive to be screaming about it publicly. In fact it's just the reverse. "They don't want to instill fear in the population, and the industries that have moved to e-commerce are in the same situation. They are successful, if people aren't fearful to use e-commerce. If people would become afraid to use it, it wouldn't be beneficial to business. Today, the financial institutions are backstopping the billions of dollars in losses. I think the statistics show that 80 to 90 percent of the losses are being covered by the financial institutions and not by the person who's been victimized. But, there have been some well-publicized events recently where the person at home was left to pay. As that happens more, I think you'll see an increased chance of a backlash against using the Internet." But, we can take measures at home to protect ourselves -- much as I have done -- can't we? Leighton disagrees: "One report I remember said that if only mom and dad at home would keep their firewall up-to-date and their anti-virus software up-to-date, we wouldn’t have a problem. And that's a really naive statement, especially when you look at the biggest financial institutions and the Fortune 100 companies. Virtually all of them are routinely penetrated. They are buying every kind of the cyber defense that exists in the marketplace today and they can’t keep themselves from being vulnerable, and being infected. So, how are mom and dad at home going to figure it out?" So, the bottom line -- assuming Leighton is telling the truth; and I have no reason to believe he's not -- is that things aren't as rosy as we're led to believe. If the corporations decide to stop subsidizing online crime, you and I are in for a very rude awakening, and with brick-and-mortar operations being systematically dismantled, there's no going back. What concerns me is that I -- and a lot of other people -- have made what we thought were informed decisions based on assurances that Internet security, both at home and at the provider level, was working. Apparently it's not, and the people making the assurances know that it's not. We are being misled. At the very core of decision making is that our decisions should be informed, and that comes from having the best information the person making the decision can get. That's just not happening. When people who have the information withhold it -- and make money from our uninformed decision -- something is dreadfully wrong. Fallacy of the week False precision. We see False Precision when we are presented with a difference between two things, or among many things, but the differences are so insignificant as to be meaningless. Nevertheless, some people try to portray the "best" or the "worst" based on the insignificant numbers. We see this a lot with political polls, where the results are presented in a way that gives people a misleading picture of what's going on, such as a one percent plurality lead that becomes a "mandate." We see it also in such competitions as the Olympics, where the "winner" is determined by comparing times that are milliseconds apart. Milliseconds may be significant in a CPU, but are hardly useful measurements of human competition. The person who crosses the finish line two-one-thousandths of a second ahead of someone else isn't "better" in any meaningful way. A classic example occurred years ago when a national magazine conducted tests on cigarettes and showed that the popular brands were virtually identical in their tar and nicotine content. One brand, however, had an insignificantly lower level of tars than the other, by a minuscule margin. Whether you smoked this cigarette or the others made no real difference. However, this didn't stop the manufacturer from running ads claiming that independent tests proved its cigarettes were the safest. |
|
© Copyright 2006 Carlton Vogt |