Copyright, 2012 1 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer

Copyright,2012

1

Security, for SocietyA View from the End of the World

Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor in Computer Science, ANU, CanberraVisiting Professor in Cyberspace Law & Policy, UNSW, Sydney

http://www.rogerclarke.com/EC/SforS-120625 {.html, .ppt}

Copenhagen – 25 June 2012

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.

The Danish Council for Greater IT-Security

Danish Society of Engineers (IDA)Subgroup on IT (IDA-IT)

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.In Association with CBIT, Roskilde University

Copyright,2012

2

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

http://www.odt.org/southupmaps.htm

Copyright,2012

3


Aims

• Provide an Australian Perspective on some current themes in Data and IT Security

• Consider some broader aspects of Security

• Note tensions within and between Perspectives

• Present a security analysis of Danish Society

Copyright,2012

4

The Notion of Security

Security is used in at least two senses:• a Condition in which harm does not

arise, despite the occurrence of threatening events

• a Set of Safeguards whose purpose is to achieve that Condition

Copyright,2012

5

The Scope of Security

QuickTime™ and aTIFF (LZW) decompressor


Copyright,2012

6

The Conventional IT Security ModelThreats impinge on Vulnerabilities, resulting in

Harm

QuickTime™ and aTIFF (Uncompressed) decompressor


Copyright,2012

7

The Organisational Scope of Security



Copyright,2012

8

Important IT Security Considerations• Data Security

Environmental, second-party and third-party threats to content, both in remote storage and in transit

• Authentication and AuthorisationHow to provide clients with convenient access to data and processes in the cloud, while denying access to imposters?

• Service Security Environmental, second-party and third-party threats to any aspect of reliability or integrity

• Susceptibility to DDOSMultiple, separate servers; but choke-points will exist

Copyright,2012

9

Maladjustment• Malcontent

Spam, Email-Attachments, Downloads• Malware

Malcontent in the form of softwareUses a Vector, to deliver a Payload,

which is Invoked, and results in Harm • Malbehaviour

Flaming, Incitement, Social EngineeringHacking / Cracking / Break-InDefacing, Accessing, Changing,

DestroyingDenial of Service

Copyright,2012

10

Basic Architecture forIT Security Safeguards



ExternalSecurity

InternalSecurity

PerimeterSecurity





Copyright,2012

11

Key IT Security Safeguard Categories

External Security• Content Transmission

Security ('Confidentiality')e.g. SSL/TLS

• Authentication of Sender, Recipient, Contente.g. Dig Sigs, SSL/TLS, Tunnelling, VPNs

• 'White Hat Hacking'• Network-Based

Intrusion Detection (ID)• ...

Perimeter SecurityInspection and Filtering• Traffic, i.e. 'Firewalls'• Malcontent, Malware

Internal Security• Access Control• Vulnerability Inspection• Intrusion (Threat) Detection• Safeguard Testing• Backup, Recovery,

'Business Continuity Assurance',incl. 'warm-site', 'hot-site'

Copyright,2012

12

Recent Australian IT Security Experience

• Seen as a Contingency not Business-As-Usual

• Strong tendency to suppress bad news• Investment and ongoing expense hard to

justify• Like all IT, subject to Outsourcing and

hence mostly ‘out of sight, out of mind’ and ‘we have people to do that kind of thing for us’

Copyright,2012

13


• Seen as a Contingency not Business-As-Usual• Strong tendency to suppress bad news• Investment and ongoing expense hard to

justify• Like all IT, subject to Outsourcing and hence

mostly ‘out of sight, out of mind’ and ‘we have people to do that kind of thing for us’

• Sporadic explosions of fervour, unsustained

Copyright,2012

14


• Seen as a Contingency not Business-As-Usual• Strong tendency to suppress bad news• Investment and ongoing expense hard to justify• Like all IT, subject to Outsourcing and hence

mostly ‘out of sight, out of mind’ and ‘we have people to do that kind of thing for us’

• Sporadic explosions of fervour, unsustained• Security companies have promised much, but

have never flourish as they were expected to

Copyright,2012

15

Organisational Perspective on Security1. Operational Qualities

• Fit – to users' needs, and customisability

• Reliability – continuity of operation

• Availability hosts/server/db readiness/reachability

• Accessibility network readiness

• Usability response-time, and consistency

• Robustness frequency of un/planned unavailability

• Resilience speed of resumption after outages

• Recoverability service readiness after resumption

• Integrity – sustained correctness of the service, and the data

• Maintainability – fit, reliability, integrity after bug-fixes & mods

http://www.rogerclarke.com/II/CCBR.html incl. enhancements to Avizienis et al. (2004)

Copyright,2012

16

Further Issues – Cloud Computing Perspective

2. Contingent Risks• Major Service Interruptions• Service Survival – supplier collapse or withdrawal

Safeguards include software escrow; escrow inspection; proven recovery procedures; rights that are proof against actions by receivers

• Data Survival – data backup/mirroring/synch, accessibility

• Data Acessibility – blockage by opponents or a foreign power

• Compatibility – software, versions, protocols, data formats

• FlexibilityCustomisationForward-Compatibility to migrate to new levelsBackward-Compatibility to protect legacy systemsLateral Compatibility to enable dual-sourcing and escape

Copyright,2012

17


3. Commercial Disbenefits and Risks• Acquisition

• Lack of information• Non-Negotiability of Terms and SLA

• Ongoing• Loss of Corporate Expertise

re apps, IT services, costs to deliver• Inherent Lock-In Effect

from high switching costs, formats, protocols• High-volume Data Transfers

from large datasets, replication/synchronisation• Service Levels to the Organisation's

Customers

Copyright,2012

18


4. Compliance Disbenefits and Risks• General Statutory & Common Law Obligations

• Evidence Discovery Law• Financial Regulations• Company Directors' obligations re asset protection,

due diligence, business continuity, risk management• Security Treaty Obligations

• Confidentiality – incl. against foreign governments• Strategic• Commercial• Governmental

• Privacy – particularly Unauthorised Use and DisclosureSecond-Party (service-provider abuse), Third-Party ('data breach','unauthorised disclosure'), Storage in Data Havens (India, Arkansas)

Copyright,2012

19

Attacks

By Whom? Why?Principals

OpportunistsHacktivistsVigilantesOrganised CrimeCorporationsNation-States

AgentsMercenariesPrivate Military Corporations

Politics• Protest against Action• Retaliation / Revenge• Espionage

Economics• Financial Gain• Financial Harm

Social/Cultural Factors• Challenge• Dispute• Celebration

Copyright,2012

20

Recent Australian Experience• Sporadic Emphasis on

but Limited Understanding of:• Risk Assessment• Risk Management• Governance

• Ambivalence about Cloud Computing

• Data Leakage• Supplier Reliability

• Service Provision• Data Availability

• Jurisdictional Location of Data

Copyright,2012

21

A Broader Scope for Security



CompetitionCollaboration, esp. re IT Infrastructure

Copyright,2012

22

A Yet Broader Scope for Security

IT Infrastructure for Economic Development‘Critical IT Infrastructure’



Copyright,2012

23

Recent Australian Experience• Malware Detection and Eradication

• Corporate Devices• Consumer Devices

• Botnets• Zombie Detection and

Eradication

Copyright,2012

24



• Botnets• Zombie Detection and

Eradication• Internet-Connected SCADA

Copyright,2012

25



• Botnets• Zombie Detection and Eradication

• Internet-Connected SCADA• Moral Minority Desires re Censorship• IP -Dependent Corporation Desires• Nation-State Desires – ITU vs. TCP/IP

Copyright,2012

26



http://idealab.talkingpointsmemo.com/2012/06/un-proposals-to-regulate-internet-are-troubling-leaked-documents-reveal.php

http://www.internetgovernance.org/2012/06/21/threat-analysis-of-the-wcit-4-cybersecurity/



Copyright,2012

27

Tensions• Between Organisational Objectives

• Certain Costs vs. Contingent Costs• Financial Cost vs. Non-

Quantifiables• Business-as-usual vs. Invisibles

Copyright,2012

28

Tensions• Between Organisational Objectives

• Certain Costs vs. Contingent Costs• Financial Cost vs. Non-Quantifiables• Business-as-usual vs. Invisibles

• Between Alternative Scopes• A bot doesn’t harm the host, so

there’sno incentive to fix it (an ‘externality’)

• Copyright material on P2P networks• Organisational, Sectoral, National

and Supra-National Agency Interests

Copyright,2012

29

A Mostly-Forgotten Scope for Security



Copyright,2012

30

Current Australian Issues inConsumer and Citizen Security

• Data BreachesNotificationCivil and Criminal Liability

• ePaymentsMobile / SmartphonesVisa PayWave, MCard PayPass

• Social MediaIts Anti-Social Business Model Unconscionable Terms of ServiceActual Abuse of Consumer DataThe Coming Google-Acxiom Merger

• Smart Meters• The Internet of Things

Copyright,2012

31



The Many Scopes of Security

Copyright,2012

32



What about ‘Humanity’? ‘The Biosphere’?

Copyright,2012

33



And where is ‘National Security’?

Copyright,2012

34

Is this ‘National Security’?

The protection of a nation from attack or other danger by holding adequate armed forces and guarding state secrets

Encompasses economic security, monetary security, energy security, environmental security, military security, political security and security of energy and natural resources

http://definitions.uslegal.com/n/national-security/

Copyright,2012

35

Or is this ‘National Security’?

• Public SafetyMayhem in marketplaces, bombs in aircraftMajor Events, e.g. Olympics, Euro 2012

• Prominent Person SafetyBush and Blair; Rushdie and Kurt WestergaardGx, APEC, CHOGM, ...

• Critical Infrastructure SecurityBombs in ports, ships, railways, energy, ...Anthrax in the water supply, ...

Copyright,2012

36

Social Control MeasuresJustified by ‘National Security’

Data Consolidation

Identity• Consolidation• Nymity Denial• Identity

Management

Surveillance• Physical• Communications• Data• Location and

Tracking• Content Experience

and Behaviour• Body Experience

and Behaviour

Copyright,2012

37

Why is ‘National Security’Exempt from Key Evaluation

Principles?

• Justification• Relevance• Effectivenes

s• Proportionality• Transparency• Accountability

Copyright,2012

38

Elements of Social Control Architecture

• A National ID Scheme• Imposed Singular Identities for all

purposes• Imposed Singular eIdentities and

'Portals'• Biometric Id and/or Authentication

• Physical Location and TrackingCheckpoints, Video Surveillance, ANPR

• Network-Traffic SurveillancePublic-Private Partnerships

Copyright,2012

39

Denmark’s Central Person Register (CPR)

and Civil Registration System (CRS)• Is obligatory and universal• Includes birthdate, gender in the ID No.• Consolidates all basic personal data

and makes it widely available• across all government agencies• across increasingly large segments

of the private sector• Is proposed for expansion, in terms of:

• users• uses• data-items

http://www.cpr.dk Id=4327 27/09/2001

Copyright,2012

40

The Elements of a National Identity Scheme

1. A Database2. A Unique Signifier for

Every Individual1. A 'Unique Identifier'2. A Biometric Entifier

3. An (Id)entification Token (such as an ID Card)

4. Quality Assurance Mechanisms1. Mechanisms for (Id)entity Authentication2. Mechanisms for (Id)entification

5. Widespread Use1. Widespread Data Flows Containing the Identifier2. Widepread Use of the (Id)entifier3. Widespread Use of the Database

6. Obligations1. Obligations Imposed on Every Individual2. Obligations Imposed on Many Organisations

7. Sanctions for Non-Compliance

http://rogerclarke.com/DV/NatIDSchemeElms.html

Copyright,2012

41

E-BOKS / e-Posthuset

• Is integrated with, or at least dependent on,the CPR/CRS and Personal Identification No.

• Is designed as the primary channel for all government communications to citizens

• Is imposed on all government employees• Offers itself as a repository for id

documents

Copyright,2012

42

Digital Signatures / NemID• Is designed to force all activities into a single

identity per person, consolidating all personas, and thereby creating a honeypot for agencies, for corporations and for intruders

• Enables the service provider to commit masquerade

• Imposes trojan client-software that has access to all resources on the consumer/citizen’s devices

Copyright,2012

43

Digital Signatures / NemID• Is designed to force all activities into a single identity

per person, consolidating all personas, and thereby creating a honeypot for agencies, for corporations and for intruders

• Enables the service provider to commit masquerade• Imposes trojan client-software that has access to all

resources on the consumer/citizen’s devices

• NemID = Nemesis In Danish• Nemesis: 'divine retribution against those

who succumb to arrogance before the gods'

Copyright,2012

44

Abuse of Social Control Architecture

• By an Unelected Government• an invader• military putsch

• By an Elected Government• that acts outside the law • that arranges the law as it wishes• that reflects temporary public

hysteria

Copyright,2012

45

A New Digital Security Model

• In a highly-interconnected world,Perimeter Security / The Walled Fortressdoesn't work any more

• The new Core Principle:

When-not-if unauthorised access happens,

make sure that the data is valueless to anyone other than the user-

organisation

Copyright,2012

46

A New Digital Security ModelSome Implementation Techniques

• Obscure the content and identities(Only the user-organisation has the decryption-key)

• Use pseudo-identifiers not identifiers(Only the user-organisation has the cross-index)

• Split the content into 'small enough' morsels(Only the user-organisation has the whole picture)

• Authenticate attributes rather than identities

NITTA (2011) 'New Digital Security Models' National IT and Telecom Agency, Copenhagen, February 2011, http://digitaliser.dk/resource/896495

Copyright,2012

47



http://en.itst.dk/

Copyright,2012

48

Denmark is a World Leader

• GDP per capita (7th)• Export Value per capita (9th)• Corruption Index (2nd)• Highly flexible labour market• High Minimum Wage (1st)• No-Fee Tertiary Education• Human Development Index

(16th)• Happiness Index (1st)


Copyright,2012

49

Security Analysis of Danish Society – 1

• 75% of GDP and Export is Industrial Productincl. Consumer Products, Lego, Hifi, Wind Turbines, Greentech, ..., also Architecture

• Labour cost is very high• Agility is critical to sustained success• Stability, creativity and adaptability of the

workforce are critical, to ensure agility

• Social control, surveillance and a climate of suspicion are incompatible with Agility

Copyright,2012

50


• World’s largest public sector (30% of workforce)

• World’s highest taxes• World’s most privacy-intrusive government• Recent substantial centralisation of a

previously highly distributed public sector• LOTS to lose (see previous slide)

• So there is scope for nervousness and discontent

Copyright,2012

51


• The population is highly homogeneous (90% Danish)

• People like it like that• The Muslim population has reached 3%• This has resulted in anti-immigration sentiment

and very tough immigration laws• That encourages reprisals by activist Muslims

• So there is scope for repressive measures

Copyright,2012

52


• The pre-conditions for despotism arelargely fulfilled already – CPR/CRS, NemID, ...

• So there is scope for rapid introduction of repressive measures

• That would create a vicious spiral of discontent, more repressive measures, more active expressions of discontent, etc.

Copyright,2012

53


Recapitulation

• Security, even when limited to data and IT,can be approached with varying scope

• There are tensions within each perspective,and tensions between perspectives

• As a society, we’re not doing it very well• Most countries have let national security

extremists flout basic security principles• Denmark is in a precarious position

Copyright,2012

54


Roger ClarkeXamax Consultancy Pty Ltd, Canberra

Visiting Professor in Computer Science, ANU, CanberraVisiting Professor in Cyberspace Law & Policy, UNSW, Sydney

http://www.rogerclarke.com/EC/SforS-120625 {.html, .ppt}

Copenhagen – 25 June 2012


The Danish Council for Greater IT-Security

Danish Society of Engineers (IDA)Subgroup on IT (IDA-IT)

QuickTime™ and aTIFF (LZW) decompressorare needed to see this picture.In Association with CBIT, Roskilde University

Copyright,2012

55

Copyright,2012

56

Why Privacy is Important• Philosophically – for 'human dignity' and integrity,

and individual autonomy and self-determination• Psychologically – in public spaces as well as private• Sociologically – people need to be free to behave,

and to associate with others, subject to broad social mores, but without the continual threat of being observed

• Economically – innovators are 'deviant' from the norms of the time. The chilling effect of surveillance stifles innovation. People in countries with high labour-costs need to be free to innovate

• Politically – freedom to think, argue, and act underpins democracy. Surveillance chills behaviour and speech, and undermines democracy

Copyright,2012

57

Counterveillance Tenets• Terrorism is not new, and not unusual• The 'power to weight ratio' of a single strike has

increased (because fewer terrorists can deliver a bigger payload), but this has only limited implications for public policy

• Reactionary Extremism must not be accepted at face value

• National security and law enforcement interests mustnot be granted carte blanche to do whatever they wish

• Secrecy is not a necessary pre-condition of security• It is illegitimate to treat what are really 'public safety'

issues as though they were 'national security' matters• Counter-Terrorism is not dependent on everyone

being limited to a single State-managed identity

Copyright,2012

58

Counterveillance Principles1. Independent Evaluation of Technology2. A Moratorium on Technology

Deployments3. Open Information Flows4. Justification for Proposed Measures5. Consultation and Participation6. Evaluation7. Design Principles

1. Proportionality2. Independent Controls3. Nymity and Multiple Identity

8. Rollback

Copyright,2012

59

Design PreceptsEvery human entity has lots to hide

It's in society's interests to enable people to hide information,in order to support freedoms to express, invent, innovate

Every human entity has multiple identities, and needs them

Identity management has to encompass nymity, accepting anonymity, and facilitating pseudonymity

Pseudonymity balances social, economic and political freedoms, on the one hand, and accountability, on the other

We need credible 'strong pseudonymity', that is proof against breaches by powerful governments and corporations

Copyright,2012

60

NamesCodes

Roles

Identifier + Data-Items

Identity andAttributes

RealWorld

AbstractWorld

Identity and Identifier

Copyright,2012

61

NamesCodes

Roles



RealWorld

AbstractWorld

Identity and Identifier

ModelWorld

Domain or SubjectWorld

Copyright,2012

62

Entity andAttributes

RealWorld

AbstractWorld



The Entity/ies underlying an Identity

Copyright,2012

63


RealWorld

AbstractWorld

Entifier + Data-Items



Entity and Entifier

Copyright,2012

64


RealWorld

AbstractWorld

Record:

Entifier + Data-Items

Record:



Record:

Nym + Data-Items


m

n

m

n

1

1 1

n n n

Nymity

Copyright,2012

65

Identity Authentication and Authorisation

Its Application to Access Control

Pre-Authenticationof Evidence of

Identity or Attribute

Permissions Storeor Access

Control List

Authenticationusing the Issued

Authenticator

AuthorisationAccessControl

Registerof

Authenticators

Copyright,2012

66

Uses of Biometrics

1. For (Id)entificationA process to find 1-among-many, in order toanswer the question 'Who is it?'

2. For (Id)entity AuthenticationA process to test 1-to-1, in order to help answer the question 'Is this the person who you think it is?'

3. For Attribute Authentication w/- (Id)entity

A process to help answer the question'Does this person (whoever they are) have the attribute they purport to have?'

Copyright,2012

67

The Huge Quality Problemswith Biometric Applications

Dimensions of Quality

• Reference-Measure• Association• Test-Measure• Comparison• Result-Computation

Other Aspects of Quality

• Vulnerabilities• Quality Measures• Counter-Measures• Spiralling

Complexity

Copyright,2012

68

7. Digital Signatures and ...

A string of characters that the Sender adds to a messageThe Theory: Only the entity that has access to the relevant Private Key can have possibly sent the message

... Public Key Infrastructure (PKI)

A substantial set of equipment, software, procedures andorganisations necessary to generate and protect key-pairs,generate signatures, publish public keys and revocations,pre-authenticate signors, authenticate signatures, assure quality, insure participants, prosecute the guilty

Copyright,2012

69

What a Digital Signature Actually Means

A Digital Signature attests only that:

the message was signed by a devicethat had access to the private key

that matches the public key

Copyright,2012

70

18 Myths relating to (Id)Entity

1 - An identity exists in an organisation's database2 - You only have one identity 3 - Each identity is used by only one person4 - A biometric is a human identifier5 - Organisations create and manage identities6 - Identity Management Products actually work7 - It's generally necessary to authenticate identity ...

Copyright,2012

71

9 Only cheats/crims/terrorists have something to

hide10 Cheats etc. can be deterred, prevented and

caught, without creating a society worse than one that contains cheats etc.

11 Nyms are for cheats

12 Privacy-Enhancing Technologies (PETs) don't pay13 Data silos are bad14 Identity silos are bad15 Biometric schemes actually work16 Biometric schemes combat terrorism17 Imposed biometric schemes will work18 An id scheme is just another business systemClarke R. (2008) '(Id)Entities (Mis)Management: The Mythologies

underlying the Business Failures' Invited Keynote at 'Managing Identity in New Zealand', Wellington NZ, 29-30 April 2008, at http://www.rogerclarke.com/EC/IdMngt-0804.html

Copyright,2012

72

The Paradox of Security

• Security measures threaten security

Copyright,2012

73

Another MythYou can’t have privacy if you want

security• Yes, if course privacy protections are used by

people for anti-social and criminal ends• But the privacy advocacy argument is not

extremist like the national security agenda• Privacy protections are about:

• Justification, not Blithe Assumptions• Proportionality, not simplistic notions like

‘Zero-Tolerance’ and ‘we need to do anything that might help us wage the war on terrorism’

Copyright,2012

74

Basic Requirements of aSmartCard (Id)entity Authenticator (1 of

2)

• Restrict identified transaction trails to circumstances in which they are justified (because of the impossibility of alternatives)

• Sustain anonymity except where it is demonstrably inadequate• Make far greater use of pseudonymity, using protected indexes• Make far greater use of attribute authentication• Implement and authenticate role-ids rather than person-ids• Use (id)entity authentication only where it is essential• Sustain multiple specific-purpose ids, avoid multi-purpose ids• Ensure secure separation between applications

Copyright,2012

75

Basic Requirements of aSmartCard (Id)entity Authenticator (2 of

2)• Ownership of each card by the individual, not the State• Design of chip-based ID schemes transparent and certified• Issue and configuration of cards undertaken by multiple

organisations, including competing private sector corporations, within contexts set by standards bodies, in consultation with government and (critically) public interest representatives

• No central storage of private keys• No central storage of biometrics• Two-way device authentication, i.e. every personal chip must

verify the authenticity of devices that seek to transact with it, and must not merely respond to challenges by devices

Copyright,2012

76

'Natural' Extensions

• Biometrics

• Location and Tracking• Physical Space• Network Space

Copyright,2012

77

Concepts of Location and Tracking

• Location – knowing the whereabouts of something, in relation to known reference points

Physical Space, Network Space, Intellectual Space, ...

Precision, Accuracy, Reliability, Timeliness, ...

• Tracking – knowing the sequence of locations of something over a period of time

• Real-Time-Tracking• Retrospective Tracking

• Predictive Tracking

Copyright,2012

78

Terrorists, Organised Crime, Illegal Immigrants

Benefits Are Illusory• Mere assertions of benefits, no explanation:

‘it’s obvious’, ‘it’s intuitive’, ‘of course it will work’,all of which are partners to simplistic notions like ‘Zero-Tolerance’ and ‘we need to do anything that might help us wage the war on terrorism’

• Lack of detail on systems design• Continual drift in features

• Analyses undermine the assertions• Proponents avoid discussing the analyses

Copyright,2012

79

Miscreants (Benefits Recipients, Fine-Avoiders, ...)

Benefits May Arise, But Are Seriously Exaggerated

• Lack of detail on systems design• Continual drift in features• Double-counting of benefits from the

ID Scheme and the many existing programs

• Analyses undermine the assertions• Proponents avoid discussing the analyses

Copyright,2012

80

Conclusion

• PETs can address some PITs, but a nightmare-free Australia Card is not feasible

• Any intellectual, and any regulator, who accommodates a national identification scheme, is selling-out liberty, and derogating their duties as human beings

• We must not be cowed by either of the twin terrors of Islamic Fundamentalism and National Security Fundamentalism

Documents

Copyright, 2012 1 Security, for Society A View from the End of the World Roger Clarke Xamax Consultancy Pty Ltd, Canberra Visiting Professor in Computer