Cybersecurity: separating genuine worries from fearmongering
posted by Jonathan Zittrain
The Future of the Internet has a lot of worries in it about the state of cybersecurity. I’ve argued against some extremely knowledgeable people in saying that the cyberwarfare threat has not been greatly exaggerated. But there are some security fears that just don’t bother me so much.
In 1996, a physicist named Alan Sokol published an article in Social Text, a cultural studies journal. It was called “Transgressing the Boundaries: Toward a Transformative Hermeneutics of Quantum Gravity,” and as the name suggests, it’s pretty impenetrable. You can check it out here. Soon after it came out, he published an article in the now-defunct Lingua Franca, saying that the first article had been a hoax. He said he did it to see if the journal would “publish an article liberally salted with nonsense if (a) it sounded good and (b) it flattered the editors’ ideological preconceptions.”
I remember feeling pretty sympathetic to the Social Text editors at the time — which was before I was immersed in legal academia, where most of the law reviews are run by students and don’t perform what other fields would recognize as formal peer review. Publishing an article doesn’t mean that the journal editors agree with everything it says, and no doubt the Social Text editors had little experience dealing with physics. Sure, they could have sent it to other physicists, but in the meantime they probably welcomed what looked like a rare attempt by someone from the hard sciences to communicate with an otherwise-alien audience, even if the person was deemed an apostate by his colleagues. Moreover, being of the postmodern deconstructionist bent, they gleaned a lot from the text — no doubt more than what its insincere author had put in. (As Wiki says they put it: “its status as parody does not alter, substantially, our interest in the piece, itself, as a symptomatic document.”)
I was reminded of the Sokal Affair when I read Thomas Ryan’s presentation to the 2010 Black Hat conference about one Robin Sage. This isn’t the U.S. special ops training exercise conducted each year, but rather a fake identity the author created on LinkedIn and elsewhere.
The author says he intentionally chose the photo of a young, attractive woman in order to better do what he did next: friend a bunch of security professionals on LinkedIn. He says that Robin’s success in social networking said something about the security chops of those who friended her.
I’m not so sure. He convincingly writes that her profile’s credibility could be debunked with a little Internet sleuthing, but I don’t think it’s surprising that many social network users regularly go to such lengths. Some people are picky about from whom they allow connections; others are content to accept anything that looks like it’s not a spammer — and Robin was not.
Ryan includes some snippets of messages that Robin received from her new connections. One asked her to review a paper he was writing; another complimented her on her looks; another pointed out a job opportunity. I’m not sure any of these is troublesome. Ryan figures that if the paper were shared and was pre-publication, a malevolent person behind the Robin persona could have passed it off as his or her own. That’s a bit of a reach. Yes, anything can happen, but there are risks in any communication or interaction with a stranger or mere acquaintance. Ryan says in his paper’s summary that Robin was offered “gifts, government and corporate jobs, and options to speak at a variety of security conferences.” But when that’s unpacked in the main text, it’s all very tentative — pointing out a job opportunity is not the same as offering a job, and suggesting interest in a conference is not the same as vetting the presentation should the interest be reciprocated. There’s an intriguing section of the paper about the gender dynamic — Ryan intentionally chose a young, attractive woman as Robin’s avatar, ’and suggests that “Whether these same reactions would have been elicited towards another male is questionable. It can be put forth that Robins appearance and gender played a key role in many people’s comfort level.”
There’s some interesting research on this sort of thing, such as a study by researchers at the University of Wisconsin in which identical resumes were sent for academic jobs with only the names switched from one gender to another. They found that men were given more opportunities than their identical women counterparts. At the very least, gender comfort level can cut both ways, and Ryan’s experiment was, I think even by his own account, as casual as Alan Sokol’s with Social Text. It’s more to make a provocation than to actually investigate gender bias or sloppy intellectual work, respectively.
The Robin Sage experiment — and the lessons we’re supposed to draw from it — interest me because I’m interested in the ways in which kindness among strangers can be crucial to the world being a good place to live — and the Internet functioning at all. It’s not surprising that a security professional would conduct an experiment in which people were duped into friending someone who wasn’t real and then conclude that those people were observing security practices that were too lax. But the more you think about it, the more you can think of all sorts of similar experiments: offer to help someone with his or her shopping bags, and then drop them. See someone taking a picture of his friends in a park, offer to do it so he can join the picture, and then run away with the camera. Hold a door for someone, and then hit them from behind. Should an experimenter do any of these, would the lesson be about the gullibility of the target or the cruelty of the experimenter?
To be sure, Ryan’s experiment was conducted among fellow security professionals. He suggests that Robin’s fake job description suggested that she held a U.S. federal government security clearance — so other people with clearances might be misled into sharing classified information with her. But there’s no reason to think that people would spill secrets under those circumstances any more than you’d write a check for $5,000 or give your home address to a brand new “friend” on Facebook.
The beauty of social networks like LinkedIn or Facebook is that they allow a level of connection with someone that has no easy real-world analogue. LinkedIn can be for colleagues and friends, but it also can include faraway students who want to connect with a professor they’ve never met — and maybe never will — or any number of other configurations. Just because Wikipedia allows anyone to edit most of its pages, doesn’t mean that it innately and permanently trusts every edit. The system is set up to be able to revert the work of vandals, and any example of how “easy” it is to vandalize a Wikipedia page is beside the point. The idea there is that there are more people quickly responding to vandals than there are vandals — so an open system functions. Similarly, so long as we don’t share more than we mean to, the presence of strangers among our LinkedIn colleagues or even Facebook friends shouldn’t be a red flag. More might be gained from “friends we haven’t met” than lost to the occasional bad actor.
So: pleased to meet you, Thomas Ryan — if that’s who you really are. And even if it’s not. …JZ
September 8, 2010 at 9:10 am
Posted in: Symposium (Future of Internet), Technology
Print This Post
Responses (3)
A.J. Sutter - September 8, 2010 at 10:42 am
There are some conspicuous differences between the Internet situation and your hypotheticals about bag-dropping, camera-stealing, etc.: (a) The anonymity and lack of physical presence on the Internet reduce the inhibitions many people might have to scam someone to their face. E.g., run away with a camera and there may be witnesses who can describe you. (b) The same factors deprive potential marks of body language, facial expressions and other bases on which to form a judgment about whether the person is trustworthy. (c) The number of potential bad actors is greatly amplified on the Internet vs. a city park. In light of these rather obvious observations, is it really unreasonable to expect security experts to be more cautious than most?
BTW, I don’t find Linked-In provides “a level of connection with someone that has no easy real-world analogue” in any way that is desirable. Mostly it’s requests from former office furniture salespeople whom I spoke to for less than a minute at some Silicon Valley evening business gathering eons ago and others who have mass-dumped my card data into their electronic address books, or their connectees. Simple email can provide a deeper level of connection, as can snail-mail. The history of mathematics is filled with stories of discoveries made or communicated through postal mail to strangers, e.g. Leibniz, Sophie Germain, Ramanujan. In general the “level of connection” afforded by electronic media between two individuals is shallower than that available by more antique means (especially face-to-face); had you said speed of connection, or number of individuals with whom one can have some connection, it would have been easier to take your point.
Steven Bellovin - September 8, 2010 at 11:00 am
This incident is an example of what is known in the security community as “social engineering”. It’s often a serious threat. I recommend reading Kevin Mitnick’s book The Art of Deception (http://www.amazon.com/Art-Deception-Controlling-Element-Security/dp/0471237124), or at least the first two thirds of it. Mitnick is a convicted hacker, but his skills were more those of the con artist than of a technologist.
Seth Finkelstein - September 8, 2010 at 11:56 am
Regarding the Sokal affair, this goes to the heart of my contention about the difference between “science” and “humanities”.
I find the Alan Sokal hoax profound, in proving that deliberate, intentional, gibberish cannot be distinguished from typical humanities articles. What matters is social relations and status of the speaker – and if the article is saying what they want to hear.
Therefore, how can one ever be confident that a similar article is not unintentional gibberish? If there was already a real life incident of the “The Emperor’s New Clothes”, how can one ever be sure there aren’t others?
This bothers me when reading famous intellectuals (present company excepted, of course).
Leave a Reply