« Sixteen tons | Main | A mighty wind »

Lying blackfoots, truthful whitefoots

"Do you think the Internet is a failure?"

I'm not sure where that ranks on the shortlist of questions I never thought I'd ask, but it's high up. The clarified version: "Do you think the Internet is a failure in terms of being able to support secure transactions?"

Guillaume Lovet, the senior manager for threat research amd response for Fortinet, had just finished a presentation explaining the state of cybercrime, circa September 2014. The three key points: 1) everyone is a target; 2) the cybercrime scene is layered, and the top players earn a return on investment of over 400; fighting cybercime is a matter of governance, not laws. Subtopics: Android is the new Windows, financial technology is likely to be a wonderful playground for criminals, putting international pressure on safe havens for cybercriminals.

To return to my question. When I said it, Lovet looked thoughtful and then began drawing mathematical formulae on the whiteboard. The gist was this: the mathematician Paul Cohen proved that there is no way to write an algorithm that can perfectly detect whether the program you feed it is clean or malware. There is a nice analogy for this from the 1963 movie Charade, much of which Audrey Hepburn spends trying to figure out whether Grant's character is a good guy or a bad guy. To help confuse her further, Grant's character offers the logic puzzle of two Indian tribes, one of which always lies and the other of which always tells the truth. You cannot distinguish them because whomever you ask will always say, "I'm a truthful whitefoot" - but half of them are lying.

And so it is with programs. And on you will go down the rabbit hole of trying to figure it out. As Hepburn said, "Which one are you?"

The second bit of mathematics Lovet mentioned was Cantor's Theorem, which holds that the set of all subsets of a single set is greater in number than the original set. In other words: take the set of all possible programs. Malware is a subset; clean programs are a subset. You do, as they say, the math.

So we will never eliminate malware. Lovet offered the development cycle's three steps: 1) replicate your target's defense system; 2) test your malware against the target and see if it's detected 3) if it isn't, deploy the malware. If it is, keep iterating the steps until it isn't. It is, he said, always possible to find a piece of malware that will not be detected if you can accurately replicate the defense system. So the first idea is to raise the cost of the replicating the defense system - keep making it more difficult to replicate by, for example, adding complexity and randomness. This is, of course, the same approach security engineers are taking to make the Internet more resistant to passive mass surveillance.

The unhappy difficulty with that, of course, is that the more complexity you add the more difficult you also make the system to manage and use. Adding randomness means that you also cannot predict accurately what it will do. Worse, your opponent - at least, a top-level opponent - has more resources than you do and more time to study your system than you probably do. A serious opponent may wait for years for the right moment to exploit the knowledge gained through painstaking study.

Mathematics again: if you can make the process of iteration too costly in terms of time - if you can map that iteration to an NP-complete problem - that is, turn it into a problem too complicated to solve in any reasonable amount of time, maybe you can win. Finance, he said. No one understands finance now. Or e-voting, as Rebecca Mercuri proved in 2000..

I'm not sure that's encouraging. Are we safer returning to the analog world?

A pause for this story. I went to the local branch of Barclay's Bank the other day to pay my phone bill. It's under £20, a stamp costs 53p, I refuse to use Direct Debit, and it's a two-minute walk. The teller suggested mobile banking. I said, "It's not secure enough." "Oh, no," she said, "our system is very secure." The problem, of course, is not just the bank but the phone platform itself. While I was still gearing up to say this, she added that the bank had a seminar I could attend to learn how safe and secure the system was. "First of all," I said, "I've written about this stuff for more than 20 years. And second of all, don't you *want* your job?" She got so rattled she forgot to stamp the payment stub.

"There was fraud in the analog world," said Lovet, reminding me of the European Computers, Freedom, and Privacy, held in 1993, when someone asked David Chaum, then touting the first cryptocurrency, DigiCash, "What if it gets cracked?" The questioner was answered by John Giilmore: "I believe paper has also been cracked."

Yes, he's right. But analog cracks don't scale. This is the fundamental problem. The digital world gives fraudsters economies of scale.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)