On 7/18/15 10:32 AM, Lodewijk andré de
la porte wrote:
Perfectly within the realm of the possible. A lone employee may be
able to abuse things, but they likely will be caught, fired, and the
incident has some chance of being righted and paid off. Unlikely to
actually be the case in any pervasive way. Nearly all conspiracies
leak eventually. Being a commercial company, they are a huge target
for a jackpot payday. TLAs have no such worry, which is why when
they do illegal things and otherwise drift or charge outside the
boundaries that it is so bad. A few years ago, before Congress
stepped in to let them off the hook, phone companies like ATT were
in a tight spot for allowing a lot of open access to customer data.
I'm sure that legal departments everywhere took notice of that
exposure; Congress isn't going to do that too many more times, and
especially not for commercial gain.
Parallel construction is a big problem, although I think that it has
been exposed in some major cases lately that should soften courts
for detecting and confronting it. It's possible both for
prosecutors, TLAs, and companies wanting to steal proprietary trade
secrets. Perhaps practical and legal techniques used to combat
insider trading may start to provide some protection. It is at
least possible to take countermeasures to expose parallel
construction: information that provides ways of detecting
eavesdropping is an obvious solution.
It is certainly the case that we should consider the possible,
especially since there have been a number of surprises about how far
things actually did go in the past, especially the TLAs, but also
sometimes with companies with really bad culture. But that red team
gaming shouldn't spill over too much into our rational assessment of
actual risks and reasonable countermeasures. There is a typical
problem I call the Fallacy of Insisting on Zero Risk: A mother
fearing their children using the bathroom at the mall alone or
calling the police because someone else's child walks to the park
alone while thinking nothing of horse riding or football or rodeo or
smoking. Or OSHA related spending millions per death to prevent one
type of injury while ignoring other much lower hanging injury
risks. Gun control, vaccines, playground equipment, etc. often
involve similar elements. When making actual concrete security
choices, a rational actor considers the threat, opportunity, costs,
rewards, exposure, overhead, etc. when weighing what measures are
worth taking.
In a presentation to the Nevada Gaming Commission years ago, I used
the analogy of protecting nuclear weapons: The cost of a compromise
is nearly infinite, so the amount you would be willing to rationally
invest to prevent a compromise also can be nearly infinite. (But
apparently not given recent events related to those crews.)
Everything else falls in a lower tier where there is a cost /
benefit tradeoff. You can go far enough in taking measures that you
are worse off than if you had been compromised in the worst probable
way. The question there was how much certainty was needed that an
Internet gambler was of age. We went through a similar thing
related to porn: Early on, many jurisdictions insisted on absolute
certainty that a remote viewer was of age, or a company-ending
lawsuit or criminal case would result. Now, porn is essentially
wide open, with at most proof of control of a credit card required
to verify age; easily bypassed by a determined teenager, who could
legally have a Visa debit card anyway. For one thing, most of the
supposed damage (Meese report etc.) was bogus, so few controls are
really called for.
Now, many of us here want to be able to protect ourselves and others
out of principle, need, career, and/or interest. We may find it fun
and career worthy to have TLA / scammer / evil genius defeating
countermeasures and tradecraft. We may get to the point we actually
need it, or work with clients who definitely do. But we shouldn't
slip into unnecessary paranoia, especially if it gets to the point
of shooting ourselves in the foot. When we're making an argument,
we are often taking the paranoid view because that's required to get
into the right mindset. After determining how to prevent issues, we
should then decide what is actually worth putting into place.
I've run my own physical Internet server, including my own DNS
servers, since 1992 when I obtained my first domain name and started
a couple ISPs. For various reasons, I will continue to do that, but
I'm not sure I'd recommend it to others, especially the
non-technical. My uptime, currently at 267 days, is basically the
lifetime of the hard drive or the rare case when the colo moves
things around.
sdw