If a tree falls in someone else's silo...

 Must read post by Iang:

In the case of phishing, it is relatively clear. The developers believe the PKI book. The PKI people believe in the efficacy of digital signatures to prove stuff. The cryptographers believe in the perfection of mathematics, and the security world believes in the completeness of their own learning. They are all wrong, but only at the large level of generalisations, not at the detailed level of particular claims. Any one of the claims, in isolation can be shown to be true. But, generalising these brittle claims to be solid building blocks is a completely different question. Few of the claims are strong enough to partake in a general model without severe support; the general model of secure browsing is the best evidence of how it is secure in name only.

How then is it built? By accident or by design, a series of claims meet together in a holy ring of righteous architecture. Each of the proponents claim loudly that their part is strong, but the ring has no strength. Eventually, one of the claims in the links is broken. For phishing, the browsers never did have the potential to show authenticity; not only did they not have the security strength to do it (c.f., Skype v. CSRF), they didn't even do it in practice (recall the lost padlock?), and their recent efforts to show authenticity (c.f. colour debate) reveal how far they are from understanding even the goal, let alone the implementation. Once that link was broken, and money was made, all the others revealed their weaknesses, as crooks systematically worked to breach the lot.

If we look at the wider financial collapse, now underscored by the nationalisation of the worlds biggest financiers of mortgages ($ 5.3 trillion.... or is it $ 5.4 ?), we see the same pattern. The bankers believed in their product. The originators believed in their origination, the securitizers believed in their free market and accurate price, and the holders believed in the assets. The CDO, the subprime, the other 100 special names, each was a contract. Each was clear in and of itself. But, when placed end-to-end, in a line, with a bunch of other agreements, the claims that were good in isolation were not strong enough to participate in the super-claim made of the overall edifice.
The financial system was built like a bridge; each piece rested on the previous one. And then, the clever architects bent the bridge around ... and around again, until the first piece met the last. The elegant keystone of finance was to finally lift up the first one to rest on the last.

Thus, the banks themselves invested their capital in their own product.

Maybe computer security failures won't ever result in $6 trillion worth of failures, but every day we bet more and more of our economy on networked computer systems. And those architectures are built on the precise mindsets that Iang portrays.

Banks are apt to comply with their auditor's request to run scans their resources, but what they do not do is build systems with architectural integrity. Why do you log in with a username and password? Why are the messaging systems not locked down? Where are the strong identity tokens and claims? Do banks know that they are not on a mainframe any more? 

Sadly, they don't - they build a web silo and then they hook it up the legacy silo and put a wide open messaging system in between. There is no end to end security design, just silos. The banks build distributed systems, they operate distributed systems, but they don't design distributed systems.

It is too bad, its never been a core competency of banks to design systems, but it never mattered before because IBM just drew up the plan and the banks followed it. Now everyone has their own plan, but the security architecture reflects an auditor's checklist and manager's golf games not risk management decisions or security architecture.

If a tree falls in someone else's silo, your system doesn't hear until their silo knocks yours over...

Comments

I think you make a good point about IBM. It echoes a similar point that I make about competition and innovation being regulated out of the banking sphere, so any solution has no chance to emerge. IBM would solve that problem, in principle.

There are distinct parallels between phishing / retail payments, and the bigger investment mess. In both cases, banks would argue these are core business. In both cases, they have applied risk-based security models, and accepted some loss. In both cases, they have the ability to apply substantial experience to the monitoring, allocating and absorbing risks and losses.

In both cases, they watched and did nothing as the risks started from low, and migrated upwards. Are we at the point where regulation has killed the ability of banks to apply their (arguable) one core skill, to whit, risk-based analysis? Are banks that far out of banking that they no longer have it?

Posted by: Iang | September 10, 2008 at 09:02 AM

Try that link ( https://financialcryptography.com/mt/archives/001093.html )

I get an untrusted certificate error for some other site altogether. What happened?

Posted by: Bob Haugen | September 10, 2008 at 11:49 AM

Ah, certificates. What a nuisance. In this case, the CA that issues that certificate is not in the list of your browser. This doesn't mean it isn't trusted; quite the reverse: I trust it, but your browser does not.

Now, you could argue that the browser is right ... in which case I would respond, if the browser can correctly identify the sites, why did phishing occur? And on and on ... until we get to the description posted above.

Posted by: Iang | September 11, 2008 at 07:18 PM