Superconductor

Where I live in San Jose, there's a shortage of parking. Every house has a two-car garage, but most of the garages are used for storage instead of parking. Add a few families with three or four cars, and you have a situation where the demand for parking spaces exceeds their supply. One of my neighbors actually blames the Bush administration for our parking problems. I'm not sure of what line of reasoning led him to that conclusion. I was fortunate enough to have my wife listen to those particular details.

This is probably a case where there's a difference between perception and reality. I seriously doubt that politicians in Washington did anything that created The Great San Jose Parking Crisis, but there's at least one person out there who believes otherwise and I doubt that any amount of facts will change his opinion. His perception and reality will probably never agree.

Information security has its own set of mismatches between perception and reality. For example, there's the perception that e-mail is in danger of being intercepted and read while it's on the Internet, but that it's safe inside the firewall. On the other hand, the reality is that e-mail is definitely in danger of being intercepted and read inside the firewall. It's fairly easy for anyone on your network to watch the traffic on it, and it's also easy for mail administrators to read people's e-mail. I know of many more cases of an administrator intercepting and reading e-mail that I do of e-mail being intercepted and read on the Internet. Most security people you talk to will probably have the same story. Despite this, the perception is that e-mail is safe in the very place that it's at the most risk.

This may or may not be a serious problem. If all of your employees can see all of your data, then you have nothing to worry about, but this is probably not the case. There's almost certainly lots of sensitive information contained in some of the e-mails that are sent within any business. Your HR people probably send documents back and forth that contain all sort of sensitive information in them including salaries, social security numbers and more. Executives preparing for their quarterly board meetings probably send documents back and forth that contain all sorts of sensitive information about the financial situation of their company and its future plans. Sales managers probably send messages to other sales managers and to the sales engineers who support them that discuss the details of the deals that they're working on. All of this sensitive information may never leave your network, but you also may not want it to get into the wrong hands, and that doesn't necessarily mean that a hacker gets his hands on it. So if you're considering encryption as a way to protect sensitive information, don't forget to protect information when it's the most vulnerable, and that's when it's still in your network.

Industry analysts estimate that spam currently accounts for close to 90 percent of e-mail messages sent and causes billions of dollars in economic losses annually. The problem with spam is very similar to that of pollution: spammers profit from their activity at the expense of the rest of the population, just like polluters of the environment profit while annoying or endangering others. So it seems reasonable that our understanding of the economics of pollution may give us some insight into the economics of spam. The work of Nobel Laureate Ronald Coase is particularly useful for this.

In 1991, Coase was awarded the Nobel Prize in Economics for his contributions to understanding how property rights and transaction costs affect the structure and functioning of an economy. Coase showed that if we assume that transaction costs are negligible, as long as property rights are clearly defined, the equilibrium that a market will reach does not depend on who initially owns the affected property. All that will change is who profits from the transactions that lead to the equilibrium.

An example of this principle is a locomotive whose coal-burning engine showers sparks over the land that it passes. Reducing the level of sparks emitted is possible, but requires that the owner of the train incur the additional costs to purchase some sort of spark-reduction equipment. To quantify this, let’s assume that a train normally produces 10 units of sparks, but these can be reduced at a cost of $200 per unit eliminated, and that each unit of sparks does $300 of damage to the land that it passes. So if the train produces 10 units of sparks there will be no additional costs for the owner of the train, and the train will do $3000 of damage to the land that it passes. If the train produces no sparks at all, there will be additional costs of $2000 for the owner of the train, but the train will do no damage to the land that it passes.

If the owner of the train is free to shower sparks over the land that his train passes, the owners of the land will be willing to pay the owner of the train $300 for each unit of sparks that they eliminate. This situation will reach an equilibrium where the owners of the land will pay the owner of the train $1200 to reduce the sparks down to only four units, which the owner of the train will use to finance the modifications to his trains that the reduction in sparks requires. On the other hand, if the owner of the land is free to deny the owner of the train the right to shower sparks on his land, then the train owner will be happy to pay the landowner $1200 to compensate him for his inconvenience, and the landowner will then be happy to endure four units of sparks. The end result that we arrive at is the same in both cases, with the only difference being who is paying whom. And since both parties prefer the arrangement where four units of sparks are produced to any other, it will be the state that this market eventually reaches.

Coase showed that this will always happen as long as there are no transaction costs. So as long as we have clearly-established property rights, we will reach an equilibrium between a polluter and the victims of the pollution, and the equilibrium that we will reach will be the same no matter who owns the property rights to the environment.

If we apply this model to spam, we see that spammers are analogous to the train owners and recipients of e-mail are analogous to the owners of the land that the train will damage with its sparks. But in the case of spam, there is no way for spammers and recipients of e-mail to reach an agreement that limits the amount of spam to a mutually-acceptable level. First, there are no property rights to enforce; neither the spammers nor the legitimate users of e-mail can claim any exclusive right to use the Internet for messaging. Next, there is no efficient way for spammers to reach an agreement with their victims. Because of this, the amount of spam sent remains unchecked by market forces, as does the annoyance suffered by users of e-mail.

Thus Coase's result provides an easy solution to the problem of spam: define ownership of the Internet and the rights to use it. Once we do this, market forces will then drive the amount of spam that is sent to an acceptable level, with slight inefficiencies possible due to the transaction costs involved. And since the equilibrium that the market will reach does not depend on to whom we assign ownership of the Internet, we will even end up with the same reduction in spam if we decide to assign the ownership of the Internet to the spammers – a truly remarkable result.

The American Bar Association has an interesting point of view about encrypting e-mail. In their Formal Opinion 99-413, they say that lawyers can send unencrypted e-mail over the Internet without violating the ABA Rules of Professional Conduct. This means that lawyers are allowed to send confidential client information by unencrypted e-mail. Here’s how they describe the basis for this decision:

The Committee believes that e-mail communications, including those sent unencrypted over the Internet, pose no greater risk of interception or disclosure than other modes of communication commonly relied upon as having a reasonable expectation of privacy. The level of legal protection accorded e-mail transmissions, like that accorded other modes of electronic communication, also supports the reasonableness of an expectation of privacy for unencrypted e-mail transmissions. The risk of unauthorized interception and disclosure exists in every medium of communication, including e-mail. It is not, however, reasonable to require that a mode of communicating information must be avoided simply because interception is technologically possible, especially when unauthorized interception or dissemination of the information is a violation of law.

So the ABA is willing to rely on the fact that people should expect their e-mail not to be read by anyone else that the intended recipient and the fact that intercepting and reading e-mail is illegal to protect confidential client information. This seems to be a fairly odd position. If you're in the health care industry, I don't think that the ABA's reasons would be enough to satisfy the requirements of HIPAA. And I'm fairly sure that an auditor checking to see if you're compliant with the PCI DSS wouldn't buy those arguments either. The ABA's guideline is the weakest that I've seen. It's not that difficult or expensive to encrypt e-mail these days. Perhaps the ABA should revisit this issue with this in mind.

There's a lot of spam these days. A recent report from Symantec shows the relative frequency of the the types of spam are the most prevalent today. This is shown in Figure 1. It certainly looks like we have a wide variety of annoying spam to choose from, doesn't it?

Figure 1. Breakdown of types of spam messages sent by type.

According to widely-quoted data Ciphertrust, however, all types of spam aren't equally effective. If we weight the data from Symantec by the clickthrough rates estimated by Ciphertrust, we get an entirely different picture. This is shown in Figure 2. From this, it's fairly clear which types of spam are effective and which ones aren't. You have to wonder why some spammers even bother. Why waste your time on an ineffective spam campaign if you can change your product and get a much better response? Spammers are fairly clever at finding ways to get their messages past spam filters. How could they have missed this obvious optimization?

Figure 2. Breakdown of total clickthroughs on different types of spam messages.

PKI is an interesting technology that has received its share of bad press. These negative comments have typically focused on the problems that most implementations of PKI have – they tend to be expensive and too hard for average users. What's often not considered is the fact that not many applications can use the digital certificates that PKI creates and manages. This means that after you spend a fair amount of money deploying your PKI, you'll find that you can't do much with your certificates except encrypt and sign e-mail or authenticate to a web server. Just those two uses probably doesn't justify the cost of deploying and supporting a PKI. Most applications don't support PKI and modifying them so that they do can be expensive, perhaps even very expensive.

I recently gave a talk about some innovative applications of cryptography in the entertainment industry. In this talk I mentioned that I'd heard that the Department of Defense has requested $5 billion to PKI-enable their core mission-critical applications. It turned out that a person in the audience was involved in that budgeting exercise and she told me that this estimate was way off.

It seems that the estimate of $5 billion came from a call which polled various departments about their needs and how much it would take to PKI-enable their most important applications. According to the person at my talk, most of the people on this call had no idea what PKI was or why they'd need budget to PKI-enable their applications. So when they were asked how much they needed, they said that they needed nothing. This means that the $5 billion number probably grossly underestimates the actual costs. Because of this, a more realistic estimate for the cost of PKI-enabling the DoD's applications might be more like $10-20 billion.

Ouch.

A while back a heated discussion started on a mailing list that I subscribe to. This particular list is for the discussion related a certain security standard, and the cost of using PKI was the topic that seemed to get peoples' interest.

The opponents of PKI pointed out that it's typically very expensive and too hard for the average user to use. There are certainly real-world statistics to back up these claims. According to a report by the GAO , the average cost of PKI in the US federal government has been a bit over $220 per certificate. Another analyst report estimates that the TCO of a secure e-mail solution based on PKI is over $800 per user per year. I don't recall any compelling arguments from the proponents of PKI. Instead, they focused on the need for some way to verify the origin of e-mail and to protect it from eavesdropping. I don't recall any claims that PKI was the best way to do this, but just that it's a way that's available now.

I usually try to stay out of heated discussions on the Internet, but this time I couldn't help adding a comment that didn’t really add anything useful to the discussion. I did this by mentioning that if PKI is really as expensive as the GAO report would have us believe, then in many cases there’s probably a cheaper alternative. I proposed that you could use your FedEx account number as a way for people to be able to securely get information to you, so that it would more or less be acting like a public key. Using FedEx isn't cryptographically secure, but it's probably good enough for most uses. In cases where you're not sending too many documents, this has a good chance of being cheaper that using PKI-based e-mail. This wasn't meant to be taken seriously, of course.

Like many other comments via e-mail that aren't meant to be taken seriously, this one was misunderstood. The first reply to it asked if I was suggesting that a FedEx account number could be used as a user's identity in some sort of identity-based encryption scheme. So I was stuck explaining that I wasn't being serious and that my comment wasn't meant to be taken literally. Identity-based encryption may be very useful in some applications, but this probably isn't one of them.

We've have seen more than 39 states adopt data breach disclosure laws since California Senate Bill 1386, these laws help with cleaning up the mess left behind by a breach. Now, however we are starting to see the first laws trying to address the problem of preventing the breach from happening in the first place. The first state to do this is Nevada with Massachusetts, Washington and Michigan to follow shortly. These laws mandate the use of encryption to prevent sensitive customer information from being compromised when that information is transmitted out of the business.

Nevada Revised Statue (NRS) 597.970, which is effective October 1, 2008.

NRS 597.970 Restrictions on transfer of personal information through electronic transmission.

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2. As used in this section:

(a) "Encryption" has the meaning ascribed to it in NRS 205.4742.

(b) "Personal information" has the meaning ascribed to it in NRS 603A.040.

This certainly looks like it requires encryption, but a closer look at the law also shows that there's no penalty for breaking it.

NRS 597.100 Criminal penalty. A person who willfully and intentionally violates any provision of NRS 597.010 to 597.090, inclusive, is guilty of a misdemeanor.

However, this law opens up businesses to law suits and in combination with the prevailing data breach disclosure law, having encryption will limit a businesses liability in the event of a data breach. So adding some low cost encryption software seems like a small price to pay for protecting your customer and employee data from being exposed after all.

Nevada businesses - take a look at www.voltage.com/nevada

UPDATE: From the WSJ - October 16th, 2008

"In Nevada, companies that suffer a security breach but comply with the new law would cap their damages at $1,000 per customer for each occurrence. Those that don't comply would be subject to unlimited civil penalties under the proposed enforcement plan, said James Earl, executive director of the state's task force for technological crimes."

Encryption has a reputation of being notoriously difficult to use. There were probably good reasons to believe this at one time, but that time has passed. I finally realized this a while ago when I had to deal with the problems caused by a canceled credit card. I found some fraudulent charges on one of my credit cards. I had the old card canceled and a new one issued, but that caused another problem.

I collect books. Some books are hard to find, so I have standing orders placed with several book dealers. If they ever find a copy of books that I’m looking for in the price range that I can afford, they'll bill my credit card and ship me the book. So when the credit card number that I used for these orders was canceled, I had to get a new number to several book dealers throughout the world. I decided to send my credit card number in an encrypted e-mail, and used Voltage's VSN hosted e-mail service to do it.

Unsure that the recipients would be able to read the encrypted e-mails, I also sent another message that explained that an encrypted e-mail would follow that contained my new credit card number and that they should let me know if there were any problems.

Nobody asked for help.

Every single recipient was able to decrypt and read the messages that I sent them and update the credit card number that they had on file for me. That’s almost certainly proof that encryption is now easy enough for the average user.

Imagine trying to do that five years ago. You'd probably have an e-mail exchange that would go something like this:

"OK, you first need to get a digital certificate."

"A what?"

"No, really, it's easy. Just go to this URL and fill in the form."

"OK. Wait a minute. What's my 'organizational unit?' What's my 'locality?' Do I really have to read and understand this 'certificate policy?' That looks like a job for my lawyer."

"Never mind. I'll just e-mail you my credit card number in the clear."

A coworker of mine sometimes wonders if our modern technology has really made things any better for us. He probably has a point. In some cases, it probably hasn't really made things better. In other cases, it probably has.

When I bought my first house many years ago, I was surprised to see how many documents were being furiously faxed back and forth at the last minute between the various parties to the deal. Puzzled by this, I asked how they managed to close on mortgages before the days of fax machines. "Oh," I was told, "we didn't need this stuff back then."

So it looked like when fax machines created the ability to easily send additional paperwork back and forth, additional paperwork somehow became necessary when it wasn't necessary before. There was no drop in the foreclosure rate for mortgages after the introduction of fax machines, so that it looks like the additional faxed documents didn't decrease lenders' risks any. There was also no increase in the number of mortgages processed due to the ability to fax documents. So this use of fax machines is probably an example of modern technology that hasn't really made things better.

On the other hand, some technology does seem make things better. Using a fax machine didn't seem to make processing mortgages any better, but using e-mail does seem to do this. There's at least one mortgage company that I've heard of that uses encrypted e-mail for mortgage documents. This has let them make their process more efficient - so efficient that they're now processing about 20 percent more mortgages per year. This amounts to an increase in their revenue by about 20 percent, so this is probably a case where new technology actually made things better.

In a recent article in The Sydney Morning Herald, a Nigerian official tried to make it seem that not that many Nigerians try to pull Nigerian scams on people. He claimed that of the roughly 140 million inhabitants of Nigeria, less that 0.1 percent are involved in these scams. That doesn't sound too bad, does it?

Wait a minute! Just 0.1 percent of 140 million people is still 140,000 people. Microsoft has roughly 91,000 full-time employees; Intel has roughly 86,000. So saying that less that 0.1 percent of Nigerians are involved in these scams just limits the number of people involved to the size of some of the world's biggest companies. That's hardly encouraging.