Category: game theory

Certifiably Silly

Over at “The Security Practice,” Michael Barrett writes about “Firefox 3.0 and self-signed certificates.” Neither he or I are representing our respective employers.

…almost everyone who wants to communicate securely using a browser can afford an SSL certificate from CAs such as GoDaddy, Thawte, etc. The cost of single certificates from these sources can only be described as nominal.

There are all sorts of use cases where $29 is not chump change. For example, I own about 8 domains, that’s $240 in “security taxes.” People in the third world would like to communicate securely. But most importantly, the idea assumes that it’s ok to have an infrastructure which is mostly unencrypted, and we may only trust encryption only after the certificate priests bless it. When I wrote about turning on “opportunistic encryption for PostFix,” my goal was encrypting all email. There’s no need for a CA. The threat model is passive adversaries, and there are lots of those.

My company is a major target of phishing, and as such we’ve spent quite a bit of time researching what anti-phishing approaches work We published a whitepaper on this topic (which can be found on the company blog at, which explains this in detail. However, a couple of relevant conclusions are that: 1) the vast majority of users simply want to be protected, 2) there’s no single “silver bullet”, and 3) that what we describe as “safer browsers” such as IE 7, and Firefox 3.0 are a significant part of the solution based on their improvements in user visible security indicators and secure-by-default behaviors.

You can’t always get what you want. Really, most people have little understanding of the issues. I think this is in large part because we’ve been talking down to them, in some part because the issues are complex, and in some part because it’s not important enough for them to want to become educated. It’s especially not important enough in light of debates like this one. We should try (sometime) to give people what they need.

I think we’d agree that the vast majority of users want, need and deserve protection that’s as simple and effective as we can make it. I don’t think blocking self-signed certs is a large part of that goal.

I conflated two or three separate ideas in that last sentence, and I should explain them. The general logic is that most users should never be presented with a security dialog that gives them a choice – if they are, there’s typically at least a 50:50 chance that the wrong decision will be made. Instead, the browser should make the decision for them. However, in the case of self-signed certificates it’s almost impossible to see how any technology can disambiguate between legitimate uses and criminal ones.

When viewed through this lens, the changes to the Firefox user experience for self-signed certificates makes perfect sense.

Even viewed through the lens presented, the self-signed experience doesn’t make perfect sense, unless you start with the assumption that a $29 SSL cert has some useful security value. I don’t believe it does. What it does is get rid of the ‘self-signed’ warnings. There are cheaper and easier ways to do that. Most of the certificates out there are signed by a company that the relying consumers have never heard of. There’s just not that much verification that can be done for $29. Today, anyone who’s broken into a company’s mail server can buy a fake cert with a stolen credit card.

Now, Michael’s employer is under massive attack. I am sympathetic to their desire to improve things, and I applaud a lot of things that they do. For example, their use of one time password tokens is great. I also think there’s great value to pushing people to recent browsers.

At the same time, it’s sensible for them to want to shift risk-part of me even welcomes the risks and attacks hitting the CAs. But I think that imposing yet another security tax, based on a static analysis of attackers, and some certificate authority pixie dust isn’t going to help things for very long.

And given the very real costs and the very fuzzy benefits, I think that breaking self-signed certificates is the wrong approach. What’s the right approach? I wrote “Preserving the Internet Channel Against Phishers” three years ago. I think that the advice isn’t silly at all.

Game Theory and Poe

Edgar Allen Poe

Julie Rehmeyer of Science News writes in, “The Tell-Tale Anecdote: An Edgar Allan Poe story reveals a flaw in game theory” about a paper Kfir Elias and Ariel Rubenstein called, “Edgar Allan Poe’s Riddle:
Do Guessers Outperform Misleaders in a Repeated Matching Pennies Game?

The paper discusses a game that Poe describes in The Purloined Letter. In it, the Misleader selects a number of marbles, coins, or whatever (grab them in your hand), and the Guesser guesses if the number is even or odd. Poe opines that it’s a game of skill rather than luck. (Read the article for more detail, or even better, the primary source.)

If you look at it from a simple game-theoretic viewpoint, the Guesser and the Misleader have equal odds. They might as well be flipping coins. However, there is a sense in which it’s a game of skill.

Our intrepid mathematicians showed that in their construction of the game, the guesser has a slight advantage — 3% — which is enough to get Las Vegas interested. They also examined modifications of the game and after several modifications brought it back in line with the predictions of game theory.

This brings up a number of interesting things to think about, including that Poe was on to something ahead of his time, as usual. Funny how that wisdom was hiding in plain sight. I wonder if he planned it.

A++++ Fast and Professional!! Would Read Again!

In “Crowd control at eBay,” Nick Carr writes:

EBay has been struggling for some time with growing discontent among its members, and it has rolled out a series of new controls and regulations to try to stem the erosion of trust in its market. At the end of last month, it announced sweeping changes to its feedback system, setting up more “non-public” communication channels and, most dramatically, curtailing the ability of sellers to leave negative feedback on buyers. It turns out that feedback ratings were being used as weapons to deter buyers from leaving negative feedback about sellers.

He goes on to rail against the usefulness of feedback loopss:

As these sites grow, keeping them in line requires more rules and regulations, greater exercise of central control. The digital world, it seems, is not so different from the real world.

However, he doesn’t question EBay’s central decision. If the goal is to control retaliatory feedback, then require all feedback be given within N days (N might vary for transaction types, international shipping, etc), and don’t reveal the feedback until both buyer and seller have finalized what they want to say.

(Personally, I think that some structure in the feedback–was the item as described? was it shipped quickly and as requested? was the interaction business-like, chatty, or rude? could enhance things a lot, as would displaying the value of the transactions. But that’s an aside.)

What’s important is that EBay is replacing a transparent and manipulated system with one that’s going to be worse for their customers, and more expensive to operate. It will be interesting to see what emerges from this. Will a worse feedback system be enough to overcome the network effects and allow a strong competitor to emerge?

Thanks to Nicko van Someren for the pointer.

Measuring the Wrong Stuff

There’s a great deal of discussion out there about security metrics. There’s a belief that better measurement will improve things. And while I don’t disagree, there are substantial risks from measuring the wrong things:

Because the grades are based largely on improvement, not simply meeting state standards, some high-performing schools received low grades. The Clove Valley School in Staten Island, for instance, received an F, although 86.5 percent of the students at the school met state standards in reading on the 2007 tests.

On the opposite end of the spectrum, some schools that had a small number of students reaching state standards on tests received grades that any child would be thrilled to take home. At the East Village Community School, for example, 60 percent of the students met state standards in reading, but the school received an A, largely because of the improvement it showed over 2006, when 46.3 percent of its students met state standards. (The New York Times, “50 Public Schools Fail Under New Rating System

Get that? The school that flunked has more students meeting state standards than the school that got an A.

There’s two important takeaways. First, if you’re reading “scorecards” from somewhere, make sure you understand the nitty gritty details. Second, if you’re designing metrics, consider what perverse incentives and results you may be getting. For example, if I were a school principal today, every other year I’d forbid teachers from mentioning the test. That year’s students would do awfully, and then I’d have an easy time improving next year.

NYT Reporter Has Never Heard of Descartes


Or perhaps more correctly, did not internalize Descartes when he heard of him. In “Our Lives, Controlled From Some Guy’s Couch,” John Tierney writes:

Until I talked to Nick Bostrom, a philosopher at Oxford University, it never occurred to me that our universe might be somebody else’s hobby. I hadn’t imagined that the omniscient, omnipotent creator of the heavens and earth could be an advanced version of a guy who spends his weekends building model railroads or overseeing video-game worlds like the Sims.

It is for occasions such as these that the expressions “gobsmacked” and “WTF” were created. How could you survive to adulthood, let alone get a degree in what I presume was some sort of liberal arts, let alone get a job at The Paper of Record, and not once wonder about whether reality is real? This also suggests that the poor thing’s youth was insufficiently misspent.

Perhaps the real interesting work in this sort of liberal arts has moved to the likes of Edward Fredkin at MIT.

It’s a great article, and I’m happy that serious newspapers are talking about things like this. But in World of Warcraft, a simulation that he gives as a comparison, the characters there have a repertoire of jokes. One of the jokes that a woman might say is, “Do you feel that you aren’t in control of your own destiny — like — you’re being controlled by an invisible hand?”

I’m pleased that Oxford philosophers think about this, and I’m glad that professional journalists are paying attention to it rather than the usual fluff. For our children, however, this is just part of popular culture.

Photo courtesy of denzilm.

Emergent Chaos and Pirates


… pirate ships limited the power of captains and guaranteed crew members a say in the ship’s affairs. The surprising thing is that, even with this untraditional power structure, pirates were, in Leeson’s words, among “the most sophisticated and successful criminal organizations in history.”

Leeson is fascinated by pirates because they flourished outside the state—and, therefore, outside the law. They could not count on higher authorities to insure that people would live up to promises or obey rules. Unlike the Mafia, pirates were not bound by ethnic or family ties; crews were as remarkably diverse as in the “Pirates of the Caribbean” films. Nor were they held together primarily by violence; while pirates did conscript some crew members, many volunteered.

Mmmmm, chaos and emergent rules that work. Who’da thunk?

Read about pirates in the New Yorker.

Photo: “Tom Ironlocks, Sam Hawkeye and Wilde Oskar posing,” by larsst.

Astronauts and Terrorists: Limits of Screening

astronaut-in-diapers.jpgSo we here at Emergent Chaos have carefully refrained from using the phrase “astronaut in diapers” not because we think that it is now incumbent apon the blogosphere to maintain what little dignity remains in American journalism, but because, within about nine minutes of the arrest of Lisa Nowak, the blogosphere had thoroughly digested the story, and there was apparently nothing left to say.

However, when the New York Times published “Astronaut’s Arrest Spurs Review of NASA Testing” with the lead words “NASA is reviewing its psychological screening and checkup process in the wake of the arrest of Capt. Lisa M. Nowak, the astronaut accused of attempted murder, space agency officials said yesterday,” it occurred to me that we could, after all, jump on the `astronaut in diapers’ bandwagon.

You see, we’re concerned with the idea of screening. We think it’s way over-applied, and reduces the emergence of chaos with which we are enamoured. And we’re forced to ask, if NASA, who, after all, can put a man on the moon, can’t screen its 100-odd astronauts successfully, what odds does the TSA have of screening for terrorists?

The TSA, you’ll recall, is an agency that has never put anything but a gloved hand where it doesn’t belong. And TSA wants to screen millions of Americans every day. They want to screen us for a set of criteria that remain extremely fuzzy. (As we covered in a review of the book, “Who Becomes a Terrorist and Why?“)

Setting (our) silliness aside for a moment, screening for rare conditions, like being a terrorist, or a willingness to don diapers and drive 15 hours to wave a BB gun in someone’s face, is hard. It’s hard because you don’t have good indicia of what to look for. It’s hard because every small over-reach will result in thousands of false positives, because, after all, most Americans aren’t terrorists, any more than most astronauts are murders.

Trying to screen for either is a waste.


When a 0% Success Rate is Worthwhile

There’s an article in, about “Turkish Hacker Depletes 10,000 Bank Accounts

A criminal enterprise comprised of 10 individuals who drained the accounts of 10,580 customers by sending virus-infected e-mails was busted in Istanbul.

The suspects reportedly sent virus-infected emails to 3,450,000 addresses, and subsequently drained 10,850 bank accounts.

That’s a hit rate of 0.314%. Which I’m not going to analyze today.

Additional resources, all in Turkish: “İnternet dolandırıcıları yakalandı,” “İnteraktif banka dolandırıcılığı” both seem to be “TSI” agency stories, and “10 bin müşteri hesabını boşalttılar” seems to be a site with additional details. Do any readers speak Turkish?