Shostack + Friends Blog Archive


Security Flaws and The Public Conciousness

Monique_Lhuillier.jpgIn “Duped Bride Gets No Sympathy,” Kim Cameron writes about an Ebay scam. What’s interesting to me is some of the language that the scammer used to justify their requests:

“Her attacker convinced her to use Western Union due to “a security breach at Paypal”.” (Kim Cameron, summarizing video)….
“Another red flag was the wire-transfer “Kate” requested, saying her account on PayPal, eBay’s own payment system, had been frozen because of — what else? — a scammer’s intrusion.” (South Bend Tribune)

People have very real challenges in dealing with con men, online or off. In the online world, a whole set of indicia that we might be able to use are not present. Trust boundaries are abstracted. Offline, we use where we meet someone as important information. Figuring out how to protect ourselves online requires knowledge, it requires analysis of that knowledge, and it requires sharing effective defensive techniques.

With the rise of breach reporting, we’re starting to get anecdotes. I’m hopeful that those anecdotes can be turned into data. Unfortunately, those affected by the breaches are pushing back, and hard, against the mandatory release of information. This is clearly in their short-term interest, to avoid having customers flee. It probably isn’t in their long-term interest, and it’s certainly not in the public interest to have these failures swept under the rug.

After the break, more on why breach disclosure is in the long term interest of companies.

There’s a couple of reasons that breach disclosure is in the long term interests of companies.

  • Breaches happen. If disclosures are normalized, then the negative brand impact will tend to be pretty low. Everyone makes mistakes now and then.
  • If breaches happen, and they’re not happening to you, it should be a source of competitive advantage that you’re preventing them. How can a consumer distinguish when everyone can lie?
  • Breaches notices are a source of data. One of the hardest jobs that a security manager has is aligning spending with risk. Getting good statistics about what goes wrong requires a stream of stories about what’s going wrong. Without that knowledge, its hard to make good decisions. Imagine a world without crime statistics, or mortality statistics.